My colleague Aharon was recently published in SC Magazine with an article on SCAP and Vulnerability Management.
… A fortuitous byproduct of implementing the Security Content Automation Protocol (SCAP) within the organization is that we no longer have to rely on tracking security patches to address vulnerabilities. …
Check it out!
http://www.scmagazineus.com/The-best-way-to-remediate/article/151843/
This is just an example. I have no idea how you store your data. This is the method that works for my database framework. You can see where it queries the DB and then calls the classes I posted earler. This code loops through all the vulnerability scan records in the database for the current day. You would need to print the arrays somewhere to make it useful.
//I keep all my DB Login details in a separate file include_once 'includes/db.php'; $myCvss = new cvss_details(); //Get Info From DB: $result = mysql_query("SELECT vulns.server, vulns.cve_number, assets.business_risk, assets.data_risk, assets.location_risk, nvd_cve.cvss_score, nvd_cve.cvss_access_vector, nvd_cve.cvss_access_complexity, nvd_cve.cvss_authentication, nvd_cve.cvss_confidentiality_impact, nvd_cve.cvss_integrity_impact, nvd_cve.cvss_availability_impact FROM `vulns` LEFT JOIN (assets,nvd_cve) ON (assets.server=vulns.server AND nvd_cve.cve=vulns.cve_number) WHERE vulns.report_date = CURDATE()"); while ($row = mysql_fetch_array($result)) { $myCvss = new cvss_details(); //debug defines $myCvss->set_cve_number($row['cve_number']); $myCvss->set_nist_cvss($row['cvss_score']); $myCvss->set_server($row['server']); //Define Base Score Details //Exploitability Metrics $myCvss->set_access_vector($row['cvss_access_vector']); $myCvss->set_access_complexity($row['cvss_access_complexity']); $myCvss->set_authentication($row['cvss_authentication']); //Impact Metrics $myCvss->set_conf_impact($row['cvss_confidentiality_impact']); $myCvss->set_integ_impact($row['cvss_integrity_impact']); $myCvss->set_avail_impact($row['cvss_availability_impact']); //Environmental Score Metrics //General Modifiers $myCvss->set_collateral_damage_potential(""); $myCvss->set_target_distribution(""); //Impact Subscore Modifiers $myCvss->set_conf_req($row['data_risk']); $myCvss->set_integ_req($row['location_risk']); $myCvss->set_avail_req($row['business_risk']); //Temporal Score Metrics $myCvss->set_exploitability(""); $myCvss->set_remediation_level(""); $myCvss->set_report_confidence(""); $server_name[] = $row['server']; $cve_number[] = $row['cve_number']; $cvss_base_score[] = $row['cvss_score']; $calc = new calculate_cvss(); $cvss_overall_score[] = round($calc->calculate($myCvss),1); }
Did I mention that I wasn’t a programmer? If you can make improvements to this code, I’d love to hear from you. This is my hackjob of code for doing what I need to do. Anyway, here’s my calculator. The DB call code will be in another post.
class calculate_cvss { function calculate($cvssDetail) { $adjustedImpact = $this->adjusted_impact($cvssDetail->conf_impact,$cvssDetail->conf_req,$cvssDetail->integ_impact,$cvssDetail->integ_req,$cvssDetail->avail_impact,$cvssDetail->avail_req); $adjustedImpactFunction = $this->adjusted_impact_function($adjustedImpact); $exploitabilitySubScore = $this->exploitability_subscore($cvssDetail->access_complexity,$cvssDetail->authentication,$cvssDetail->access_vector); $adjustedBaseScore = $this->adjusted_base_score($adjustedImpact,$exploitabilitySubScore,$adjustedImpactFunction); $adjustedTemporalScore = $this->adjusted_temporal_score($adjustedBaseScore,$cvssDetail->exploitability,$cvssDetail->remediation_level,$cvssDetail->report_confidence); $adjustedTemporalScore = round($adjustedTemporalScore,1); $environmentalScore = $this->environmental_score($adjustedTemporalScore,$cvssDetail->collateral_damage_potential,$cvssDetail->target_distribution); $impact = $this->impact($cvssDetail->conf_impact,$cvssDetail->integ_impact,$cvssDetail->avail_impact); $impact = round($impact,1); $impactFunction = $this->impact_function($impact); $baseScore = $this->base_score($impact,$exploitabilitySubScore,$impactFunction); $baseScore = round($baseScore,1); $temporalScore = $this->temporal_score($baseScore,$cvssDetail->exploitability,$cvssDetail->remediation_level,$cvssDetail->report_confidence); $overallScore = $this->overall_score($environmentalScore,$temporalScore,$baseScore); //Debug Printing print "CVE Number: $cvssDetail->cve_number<br />"; print "Server: $cvssDetail->server<br />"; print "Impact SubScore: $impact<br />"; print "Exploitability SubScore: $exploitabilitySubScore<br />"; print "CVSS Temporal Score: $temporalScore<br />"; print "CVSS Environmental Score: $environmentalScore<br />"; print "--Adjusted Temporal Score: $adjustedTemporalScore<br />"; print "--Collateral Damage Potential: $cvssDetail->collateral_damage_potential<br />"; print "--Target Distribution: $cvssDetail->target_distribution<br />"; print "NIST CVSS Score: $cvssDetail->nist_cvss<br />"; print "CVSS Base Score: $baseScore<br />"; print "Overall CVSS Score: $overallScore<br />"; return "$overallScore"; } function adjusted_impact($confImpact,$confReq,$integImpact,$integReq,$availImpact,$availReq) { $adjustedImpact = min(10,10.41*(1-(1-$confImpact*$confReq)*(1-$integImpact*$integReq)*(1-$availImpact*$availReq))); return $adjustedImpact; } function adjusted_impact_function($adjustedImpact) { if ($adjustedImpact = 0) { $adjustedImpactFunction = 0; } else { $adjustedImpactFunction = 1.176; } return $adjustedImpactFunction; } function exploitability_subscore($accessComplexity,$authentication,$accessVector) { $exploitabilitySubScore = 20*$accessComplexity*$authentication*$accessVector; return $exploitabilitySubScore; } function adjusted_base_score($adjustedImpact,$exploitabilitySubScore,$adjustedImpactFunction) { $adjustedBaseScore = (0.6*$adjustedImpact+0.4*$exploitabilitySubScore-1.5)*$adjustedImpactFunction; return $adjustedBaseScore; } function adjusted_temporal_score($adjustedBaseScore,$exploitability,$remediationLevel,$reportConfidence) { $adjustedTemporalScore = $adjustedBaseScore*$exploitability*$remediationLevel*$reportConfidence; return $adjustedTemporalScore; } function environmental_score($adjustedTemporalScore,$collateralDamagePotential,$targetDistribution) { $environmentalScore = ($adjustedTemporalScore+(10-$adjustedTemporalScore)*$collateralDamagePotential)*$targetDistribution; return $environmentalScore; } function overall_score($environmentalScore,$temporalScore,$baseScore) { if(!defined($environmentalScore)) { if(!defined($temporalScore)) { $overallScore = $baseScore; } else { $overallScore = $temporalScore; } } else { $overallScore = $environmentalScore; } return $overallScore; } function impact($confImpact,$integImpact,$availImpact) { $impact = 10.41*(1-(1-$confImpact)*(1-$integImpact)*(1-$availImpact)); return $impact; } function impact_function($impact) { if ($impact = 0) { $impactFunction = 0; } else { $impactFunction = 1.176; } return $impactFunction; } function base_score($impact,$exploitabilitySubScore,$impactFunction) { $baseScore = (.6*$impact+.4*$exploitabilitySubScore-1.5)*$impactFunction; return $baseScore; } function temporal_score($baseScore,$exploitability,$remediationLevel,$reportConfidence) { $temporalScore = $baseScore*$exploitability*$remediationLevel*$reportConfidence; return $temporalScore; } }
Here is a PHP class I wrote for storing the SCAP details. The next post will be the class I wrote to calculate the Device Specific CVSS Score. I will also post the DB queries I use to get the data from my database into this PHP class.
class cvss_details { function set_nist_cvss($cvss) { //This is the calculated CVSS Base Score, provided by NIST. //For Comparison Debugging $this->nist_cvss = $cvss; } function set_cve_number($cve) { $this->cve_number = $cve; } function set_server($server) { $this->server = $server; } function set_collateral_damage_potential($cdp) { switch ($cdp) { case "NONE": $this->collateral_damage_potential = 0; break; case "LOW": $this->collateral_damage_potential = 0.1; break; case "LOW-MEDIUM": $this->collateral_damage_potential = 0.3; break; case "MEDIUM-HIGH": $this->collateral_damage_potential = 0.4; break; case "HIGH": $this->collateral_damage_potential = 0.5; break; default: $this->collateral_damage_potential = 0; } } function set_target_distribution($targetDistribution) { switch ($targetDistribution) { case "NONE": $this->target_distribution = 0; break; case "LOW": $this->target_distribution = 0.25; break; case "MEDIUM": $this->target_distribution = 0.75; break; case "HIGH": $this->target_distribution = 1; break; default: $this->target_distribution = 1; } } function set_conf_req($conf_req) { switch ($conf_req) { case 1: $this->conf_req = 1.51; break; case 2: $this->conf_req = 1; break; case 3: $this->conf_req = 0.5; break; default: $this->conf_req = 1; } } function set_integ_req($integ_req) { switch ($integ_req) { case 1: $this->integ_req = 1.51; break; case 2: $this->integ_req = 1; break; case 3: $this->integ_req = 0.5; break; default: $this->integ_req = 1; } } function set_avail_req($avail_req) { switch ($avail_req) { case 1: $this->avail_req = 1.51; break; case 2: $this->avail_req = 1; break; case 3: $this->avail_req = 0.5; break; default: $this->avail_req = 1; } } function set_access_complexity($accessComplexity) { switch ($accessComplexity) { case "HIGH": $this->access_complexity = 0.35; break; case "MEDIUM": $this->access_complexity = 0.61; break; case "LOW": $this->access_complexity = 0.71; break; } } function set_authentication($authentication) { switch ($authentication) { case "NONE": $this->authentication = 0.704; break; case "SINGLE_INSTANCE": $this->authentication = 0.56; break; case "MULTIPLE_INSTANCES": $this->authentication = 0.45; break; } } function set_access_vector($accessVector) { switch ($accessVector) { case "LOCAL": $this->access_vector = 0.395; break; case "ADJACENT_NETWORK": $this->access_vector = 0.646; break; case "NETWORK": $this->access_vector = 1; break; } } function set_conf_impact($confImpact) { switch ($confImpact) { case "NONE": $this->conf_impact = 0; break; case "PARTIAL": $this->conf_impact = 0.275; break; case "COMPLETE": $this->conf_impact = 0.660; break; } } function set_integ_impact($integImpact) { switch ($integImpact) { case "NONE": $this->integ_impact = 0; break; case "PARTIAL": $this->integ_impact = 0.275; break; case "COMPLETE": $this->integ_impact = 0.660; break; } } function set_avail_impact($availImpact) { switch ($availImpact) { case "NONE": $this->avail_impact = 0; break; case "PARTIAL": $this->avail_impact = 0.275; break; case "COMPLETE": $this->avail_impact = 0.660; break; } } function set_exploitability($exploitability) { switch ($exploitability) { case "UNPROVEN": $this->exploitability = 0.85; break; case "PROOF_OF_CONCEPT": $this->exploitability = 0.90; break; case "FUNCTIONAL": $this->exploitability = 0.95; break; case "HIGH": $this->exploitability = 1; break; default: $this->exploitability = 1; } } function set_remediation_level($remediationLevel) { switch ($remediationLevel) { case "OFFICIAL_FIX": $this->remediation_level = 0.87; break; case "TEMPORARY_FIX": $this->remediation_level = 0.90; break; case "WORKAROUND": $this->remediation_level = 0.95; break; case "UNAVAILABLE": $this->remediation_level = 1; break; default: $this->remediation_level = 1; } } function set_report_confidence($reportConfidence) { switch($reportConfidence) { case "UNCONFIRMED": $this->report_confidence = 0.90; break; case "UNCORROBORATED": $this->report_confidence = 0.95; break; case "CONFIRMED": $this->report_confidence = 1; break; default: $this->report_confidence = 1; } } }
Security is expensive. Personnel and equipment cost a lot. Taking a risk-based approach to securing your assets can help with budget priorities too. Someone posted a link in IRC earlier, and it reminded me of how sometimes we make bad security prioritization and investment decisions.
This illustrates how the security investment ends up costing more than the asset is worth.
*Yes, I know this is just a trucker with a sense of humor.
For the most part, everyone thinks this is the way to go. Judging the expressions on the faces of some of the stakeholders in our current vulnerability management team, they can see the dwindling relevancy of their process. They are hesitant to accept it, but I think they will jump on board soon. They won’t have a choice.
One of the questions that came up is: “How do we score the vulnerabilities in the code that we develop?”
The short answer is: “I don’t know.”
It’s easy to work with the CVE’s. They’re industry accepted. There aren’t any CVE’s for the code that we develop in-house, and we develop a lot of code. If I remember correctly, we scan approximately 2 million lines of code per month for vulnerabilities.
We can apply CWE (Common Weakness Enumeration) to our in-house code, but there’s not a direct CVSS link there yet. I am tossing around the idea of creating our own set of CVE’s for our own code. MYCOMPANY-CVE-2009-001 or something like that. We will have to work with our 3rd party application assessors to find some common system that they can all work with.
What are you all doing for code developed from within your companies?
At work, there are a few of us in infosec that “get it” when it comes to SCAP. Two of our engineers have put in many many hours developing the scanning tools (We’re not using the OVAL interpreter. I’ll explain why, but that’s another blog post), writing the checks for the tool, getting the server administrators’ buy-in, and getting the resulting data in a form that I can use. In the system and process they have developed, we are scanning every asset for every applicable CVE that we have a check for. In our pilot, we have almost 400 servers that are being scanned every night. I get about 13,000 scan result records every day.
Tomorrow I will be showing the output of my reporting to a larger group within our infosec shop. I’ve built a dashboard that has some generic reports. With the data I have, I will show them:
These reports are probably not very useful, but will provide enough visibility into what we’re capable of reporting on.
I’ll let you know how it goes!
Orbitz CISO Ed Bellis explains how the proliferation of vulnerability assessment products and services has created chaos, and how SCAP may be the answer.
It’s safe to say that vulnerability assessment tools have become commonplace within most security teams’ toolboxes. As security programs mature, they often begin to look at ways to automate tasks that are mundane and repetitive.
Check out the article here: http://www.csoonline.com/article/492213/How_SCAP_Brought_Sanity_to_Vulnerability_Management
I may be taking CVSS out of scope in my application of scores. I don’t care… it works for me, and I haven’t found a better way. I am using CVSS to help identify which assets need the most attention first.
Every CVE is provided with its corresponding CVSS V2 Base Score. In a previous post, I talked about rating every asset with its CIA requirements. These requirements feed into the CVSS V2 Impact Subscore Modifier. This tailors the CVSS V2 Score for a particular asset.
CVSS Scores have a defined 0-10 range. This is great for identifying the severity of a single vulnerability. It doesn’t do a good job of aggregating while staying within the range. In my implementation, I have decided to use an additive CVSS score per device.
By this, I mean that I add together all the CVSS scores for each CVE found on a particular device. A device may have a risk score in the hundreds. This is OK. When I report on the devices, I show several pieces of information:
From this, I can quickly see the relationship of number of vulnerabilities vs CVSS score for all of these vulnerabilities. With our old way of doing things, we would simply look at the number of vulnerabilities on a device and pick out the one with the most.
In practice, I have seen that a device with 40 vulnerabilities might have a score of 200, while a device with 30 vulnerabilities might have a score of 400. This helps identify our most troubled assets.
With SCAP, we get our vulnerability information in the form of CVE’s. The CVE’s provide us with the CVSS V2 Base Score. The CVSS V2 Base Score provides three unique metrics, specific to the vulnerability:
The cool part is when we work with the CVSS V2 Environmental score. It provides three unique metrics unique to the systems affected by the vulnerability:
This helps show you the true impact of a vulnerability on a given asset. For example, vulnerability with a high confidentiality impact applied to a system with a high confidentiality requirement will have a higher CVSS V2 Environmental Score than a system with a low System Confidentiality Requirement.
Looking at the CVSS Base Score alone does not illustrate the true impact of a given vulnerability to your environment.
