Transcript OCTAVE-M Implementation Guide: Volume 7

OCTAVESM Process 5
Background on Vulnerability Evaluations
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213
Sponsored by the U.S.
Department of Defense
© 2001 by Carnegie Mellon University
SS5 -1
Vulnerability Evaluation Topics
• Terminology
• Vulnerability tools
• Vulnerability reports
• Strategies for conducting vulnerability evaluations
© 2001 by Carnegie Mellon University
SS5 -2
Terminology
Technology vulnerability
• weakness in a system that can directly lead to
unauthorized action
Exploit
• process of using a technology vulnerability to violate
security policy
© 2001 by Carnegie Mellon University
SS5 -3
Vulnerability Tools
Vulnerability tools identify
• known weaknesses in technology
• misconfigurations of ‘well known’ administrative
functions, such as
- file permissions on certain files
- accounts with null passwords
• what an attacker can determine about your systems
and networks
© 2001 by Carnegie Mellon University
SS5 -4
What Vulnerability Tools Identify
Operational
Practice Areas
Information
Technology
Security
Physical
Security
Staff Security
Physical Security Plans
and Procedures
Physical Access Control
System and Network Management
Incident Management
Monitoring and Auditing IT Security General Staff
Practices
Authentication and Authorization
Monitoring and Auditing
Physical Security
Encryption
Vulnerability Management
System Administration Tools
Security Architecture and Design
© 2001 by Carnegie Mellon University
SS5 -5
What Vulnerability Identification
Tools Do Not Identify
Misapplied or improper system administration (users,
accounts, configuration settings)
Unknown vulnerabilities in operating systems, services,
applications, and infrastructure
Incorrect adoption or implementation of organizational
procedures
© 2001 by Carnegie Mellon University
SS5 -6
Vulnerability Evaluation Tools
Operating system scanners
Network infrastructure scanners
Specialty, targeted, and hybrid scanners
Checklists
Scripts
© 2001 by Carnegie Mellon University
SS5 -7
Operating System Scanners
Operating system scanners target specific operating
systems, including
• Windows NT/2000
• Sun Solaris
• Red Hat Linux
• Apple Mac OS
© 2001 by Carnegie Mellon University
SS5 -8
Network Infrastructure
Scanners
Network infrastructure scanners target the network
infrastructure components, including
• routers and intelligent switches
• DNS servers
• firewall systems
• intrusion detection systems
© 2001 by Carnegie Mellon University
SS5 -9
Specialty, Targeted, and Hybrid
Scanners
Specialty, targeted, and hybrid scanners target a range of
services, applications, and operating system functions,
including
• web servers (CGI, JAVA)
• database applications
• registry information (Windows NT/2000)
• weak password storage and authentication services
© 2001 by Carnegie Mellon University
SS5 -10
Checklists
Checklists provide the same functionality as automated
tools.
Checklists are manual, not automated.
Checklists require a consistent review of the items being
checked and must be routinely updated
© 2001 by Carnegie Mellon University
SS5 -11
Scripts
Scripts provide the same functionality as automated
tools but they usually have a singular function.
The more items you test, the more scripts you’ll need.
Scripts requires a consistent review of the items being
checked and must be routinely updated.
© 2001 by Carnegie Mellon University
SS5 -12
Vulnerability Tool Reports
Vulnerability reports usually provide:
• identification and ranking of the severity of
technological weaknesses found
• mitigation and corrective steps to eliminate
vulnerabilities
Determine what information you require, and then match
your requirements to the report(s) provided by the
tool(s).
© 2001 by Carnegie Mellon University
SS5 -13
Sample Report
© 2001 by Carnegie Mellon University
SS5 -14
Other Report Data
© 2001 by Carnegie Mellon University
SS5 -15
Scoping Vulnerability Evaluations
You need to scope a vulnerability evaluation.
Two approaches are
• examining every component of your computing
infrastructure over a defined period of time
(comprehensive vulnerability evaluation)
• grouping similar components into categories and
examining selected components from each category
(targeted vulnerability evaluation)
© 2001 by Carnegie Mellon University
SS5 -16
Targeted Vulnerability
Evaluation Strategies
Strategies for targeted vulnerability evaluations include
grouping similar components into categories.
Categories can include
• how components are used
• the primary operators of components
• classes of components
© 2001 by Carnegie Mellon University
SS5 -17
OCTAVE Phase 2 Strategy
Phase 2 of OCTAVE is a targeted vulnerability
evaluation.
Key classes of components are identified by considering
how critical assets are
• stored
• processed
• transmitted
© 2001 by Carnegie Mellon University
SS5 -18