Christopher Mills

Security is expensive. Personnel and equipment cost a lot. Taking a risk-based approach to securing your assets can help with budget priorities too. Someone posted a link in IRC earlier, and it reminded me of how sometimes we make bad security prioritization and investment decisions.

This illustrates how the security investment ends up costing more than the asset is worth.

*Yes, I know this is just a trucker with a sense of humor.

I’ve been using a commercial tool (Archer SmartSuite) for my SCAP reporting. As I’m getting more and more records, Archer is getting slower and slower. Right now, it takes more than 1 day to import 1 day’s worth of data. (This is only 13,000 Records) Until Archer improves their performance, I’m going to have to find another way.

I’ve started writing my own reporting using PHP and Open Flash Charts. If you haven’t played with these yet, check it out at http://teethgrinder.co.uk/open-flash-chart-2/

I’m able to query the MySQL database from PHP and send the data directly to the charts. It’s wicked fast and very customizable.

Screenshots and code to come soon!

For the most part, everyone thinks this is the way to go. Judging the expressions on the faces of some of the stakeholders in our current vulnerability management team, they can see the dwindling relevancy of their process. They are hesitant to accept it, but I think they will jump on board soon. They won’t have a choice.

One of the questions that came up is: “How do we score the vulnerabilities in the code that we develop?”

The short answer is: “I don’t know.”

It’s easy to work with the CVE’s. They’re industry accepted. There aren’t any CVE’s for the code that we develop in-house, and we develop a lot of code. If I remember correctly, we scan approximately 2 million lines of code per month for vulnerabilities.

We can apply CWE (Common Weakness Enumeration) to our in-house code, but there’s not a direct CVSS link there yet. I am tossing around the idea of creating our own set of CVE’s for our own code. MYCOMPANY-CVE-2009-001 or something like that. We will have to work with our 3rd party application assessors to find some common system that they can all work with.

What are you all doing for code developed from within your companies?

At work, there are a few of us in infosec that “get it” when it comes to SCAP. Two of our engineers have put in many many hours developing the scanning tools (We’re not using the OVAL interpreter. I’ll explain why, but that’s another blog post), writing the checks for the tool, getting the server administrators’ buy-in, and getting the resulting data in a form that I can use. In the system and process they have developed, we are scanning every asset for every applicable CVE that we have a check for. In our pilot, we have almost 400 servers that are being scanned every night. I get about 13,000 scan result records every day.

Tomorrow I will be showing the output of my reporting to a larger group within our infosec shop. I’ve built a dashboard that has some generic reports. With the data I have, I will show them:

• Additive CVSS Score for the day (This is in the 50,000′s)
• Number of assets scanned
• Number of unique vulnerabilities found
• Total vulnerabilities found.
• 2-week trend of CVSS Additive Score
• 2-week trend of number of assets
• 2-week trend of unique vulnerabilities

These reports are probably not very useful, but will provide enough visibility into what we’re capable of reporting on.

I’ll let you know how it goes!

No SCAP post tonight, but I will be live tonight at 8PM EST co-hosting the SecuraBit Podcast.

Tonight’s guest is Russell Butturini who developed the Incident Response USB Switchblade.

Listen in to the live stream at around 8PM EST Tonight: http://radio.packetsense.net:8000/listen.m3u

Mebeam Video: http://www.mebeam.com/securabit

SecuraBit’s Website: http://securabit.com

Thanks, and I hope you tune in!

Orbitz CISO Ed Bellis explains how the proliferation of vulnerability assessment products and services has created chaos, and how SCAP may be the answer.

It’s safe to say that vulnerability assessment tools have become commonplace within most security teams’ toolboxes. As security programs mature, they often begin to look at ways to automate tasks that are mundane and repetitive.

Check out the article here: http://www.csoonline.com/article/492213/How_SCAP_Brought_Sanity_to_Vulnerability_Management

I may be taking CVSS out of scope in my application of scores. I don’t care… it works for me, and I haven’t found a better way. I am using CVSS to help identify which assets need the most attention first.

Every CVE is provided with its corresponding CVSS V2 Base Score. In a previous post, I talked about rating every asset with its CIA requirements. These requirements feed into the CVSS V2 Impact Subscore Modifier. This tailors the CVSS V2 Score for a particular asset.

CVSS Scores have a defined 0-10 range. This is great for identifying the severity of a single vulnerability. It doesn’t do a good job of aggregating while staying within the range. In my implementation, I have decided to use an additive CVSS score per device.

By this, I mean that I add together all the CVSS scores for each CVE found on a particular device. A device may have a risk score in the hundreds. This is OK. When I report on the devices, I show several pieces of information:

• Device Name
• Number of Vulnerabilities (Unique CVE’s)
• Additive CVSS V2 Base Score
• Additive CVSS V2 Overall Score (This is the Base score calculated with the Impact Subscore Modifiers)
• CVSS V2 Delta (This is subtracting the Base Score from the Overall Score) – I will talk about this in a future post.

From this, I can quickly see the relationship of number of vulnerabilities vs CVSS score for all of these vulnerabilities. With our old way of doing things, we would simply look at the number of vulnerabilities on a device and pick out the one with the most.

In practice, I have seen that a device with 40 vulnerabilities might have a score of 200, while a device with 30 vulnerabilities might have a score of 400.  This helps identify our most troubled assets.

With SCAP, we get our vulnerability information in the form of CVE’s. The CVE’s provide us with the CVSS V2 Base Score. The CVSS V2 Base Score provides three unique metrics, specific to the vulnerability:

• Confidentiality Impact
• Integrity Impact
• Availability Impact

The cool part is when we work with the CVSS V2 Environmental score. It provides three unique metrics unique to the systems affected by the vulnerability:

• System Confidentiality Requirement
• System Integrity Requirement
• System Availability Requirements

This helps show you the true impact of a vulnerability on a given asset. For example,  vulnerability with a high confidentiality impact applied to a system with a high confidentiality requirement will have a higher CVSS V2 Environmental Score than a system with a low System Confidentiality Requirement.

Looking at the CVSS Base Score alone does not illustrate the true impact of a given vulnerability to your environment.

To measure the impact of vulnerabilities on your assets, you have to understand what your assets are, and where their criticalities lay. This is a manual step that will enable automation. I am working on a way to automate this step in my company. More to follow on that.

Security folks understand Confidentiality, Integrity, and Availability. This is the basis of the CVSS score as well. These terms might not be so clear to system administrators who aren’t bathed in security daily. In my company, our system administrators risk rate their assets with three categories, and three risk levels (High, Medium, Low):

• Data Risk (Highest classification stored on the system)
• Network Location Risk (Proximity to the internet perimeter)
• Business Risk (Criticalty to the operation of the business)

Roughly translated, the Data Risk can be considered Confidentiality, the Network Location Risk can be considered Integrity, and the Business Risk can be considered Availability. This may seem like a stretch, but it works for us.

The sysadmins rate their assets this way because CIA isn’t easily understood by everyone.

Next, is to tie this in with the rest of your risk rating puzzle pieces, but that’s another blog post.

Computer security takes a lot of work. How do you measure your progress and success? How do you know from where you came, and to where you should head? Wouldn’t it be great if some parts of your information security program ran itself?

Through the use of standards and automation, you can add math and science to your information security program. Get world-class results that are measurable, documentable, and auditable.

Best of all, all of these standards and techniques are absolutely free and community driven. Share your successes and challanges and help give back to the community. We can drive the vendors to become more compliant with security standards and make all our jobs much easier.