SCAP 02112007 IAWS

Views:
 
     
 

Presentation Description

No description available.

Comments

Presentation Transcript

Slide1: 

Automating Compliance Checking, Vulnerability Management, and Security Measurement Peter Mell and Stephen Quinn Computer Security Division NIST A DISA, NSA, and NIST Partnership Sponsored by DHS

Outline: 

Outline Security Content Automation Program Objectives and Benefits FISMA and DOD Compliance Automation How and why Enabling Automation Through Integration of Government and Industry Programs Technical Approach Status

The Compliance Game: 

Finite Set of Possible Known IT Risk Controls andamp; Application Configuration Options FISMA The Compliance Game HIPAA SOX GLB INTEL COMSEC ‘97 DoD ISO Vendor SP 800-53 ??? ??? ??? DCID NSA Req DoD IA Controls 17799 Guide SP 800-68 DISA STIGS andamp; Checklists 3rd Party Guide ??? NSA Guides ??? Agency Tailoring Mgmt, Operational, Technical Risk Controls Windows XP SP1 SP2 Enterprise Mobile Stand Alone SSLF High Moderate Low OS or Application Version/ Role Major Patch Level Environment Impact Rating or MAC/CONF Millions of Settings to manage across the Agency Every high level policy should ultimately map to low level settings

Slide4: 

Information System Security Configuration Settings NIST, NSA, DISA, Vendors, Third Parties (e.g., CIS) Checklists and Implementation Guidance FISMA Compliance Model It is not possible to manually get from 30,000 ft to ground zero, automated security techniques must be employed

The Current Quagmire…: 

The Current Quagmire… Agency must secure system Much of this is implementing and monitoring low level security settings Ensure secure OS/Application installations (e.g., secure images) Vulnerability mitigation/Patch application Security monitoring Insufficient funding available Agency much comply with regulations Higher level security controls Requires low level operational security to be performed but often implemented as a paperwork exercise Consumes large amounts of resources

…Looks Like This…: 

Agency Baseline Configuration DISA STIG (Gold) Reporting Compliance DISA STIG (Platinum) NIST Special Pub. NSA Guide Vendor Guide Mobile User Enterprise …Looks Like This… Finite Set of Possible Known Security Configuration Options andamp; Patches Other 1 to n Environment Tool Vendor Rec.

…Looks Like This.: 

…Looks Like This. Reporting Compliance

A Closer Look At Operations: 

Agency Baseline Configuration Reporting Compliance DISA Platinum NIST Special Pub DISA Gold NSA Guide Vendor Guide A Closer Look At Operations Finite Set of Possible Known Security Configuration Options and Patches Mobile User Enterprise Other

A Closer Look At Operations: 

Agency Baseline Configuration DISA Platinum NIST Special Pub DISA Gold NSA Guide Vendor Guide A Closer Look At Operations Finite Set of Possible Known Security Configuration Options and Patches Mobile User Enterprise Other

Slide10: 

How Security Automation Helps Agency Baseline Configuration DISA Platinum NIST Special Pub DISA Gold NSA Guide Vendor Guide Finite Set of Possible Known Security Configuration Options and Patches Mobile User Enterprise Other All of the 'How To' and 'Mapping' Performed Here! Security Content Automation Program (SCAP)

Slide11: 

SCAP How Does This Work? Agency Baseline Configuration DISA Platinum NIST Special Pub DISA Gold NSA Guide Vendor Guide OVAL CVE + CCE Mobile User Enterprise Other XCCDF XCCDF

Outline: 

Outline Security Content Automation Program Objectives and Benefits FISMA and DOD Compliance Automation How and why Enabling Automation Through Integration of Government and Industry Programs Technical Approach Status

The Compliance Answer: 

The Compliance Answer Reduce high level security requirements (e.g., 800-53 controls)? Congress provides more resources?

Slide14: 

Compliance andamp; Security Problem – Comply with policy. How – Follow recommended guidelines – So many to choose from. Customize to your environment – So many to address. Document your exceptions – I’ve mixed and matched, now what? Ensure someone reads your exceptions – Standardized reporting format. Should be basic: One coin, different sides. If I configure my system to compliance regulation does is mean its secure and vice versa?

Covering the Vulnerability Landscape: 

Covering the Vulnerability Landscape Vulnerabilities Security Related Software Flaws OS/Application Security Related Misconfigurations Common Vulnerabilities And Exposures (CVE) Common Configuration Enumeration (CCE)

Slide16: 

SCAP CONOPS Phase I Standardized Scan Criteria in XCCDF/OVAL format Standard OVAL Patches NSA Red/Blue Database COTS Tools

Slide17: 

SCAP CONOPS Phase I Standard Patch and Software Flaw Checks NIST 800-70 SP 800-70 COTS Tools Software Vendors OS/Application Configuration Requirements

Slide18: 

Federal Agencies DoD andamp; Civil Security Security Product Vendors andamp; Point Solution Providers SCAP CONOPS- Phase I (continued…) Compliance Standardized Security Measurement Agency Specified Vulnerability Management

High Level Objectives: 

High Level Objectives Enable technical control compliance automation Low level vulnerability checks to map to high level compliance requirements Enable standardized vulnerability management Empower security product vendor community to perform on-demand, Government directed security and compliance audits End user organization can specify requirements COTS tools automatically perform checks Enable security measurement FISMA scorecard have a quantitative component that map to actual low level vulnerabilities

Slide20: 

Replace Stove-pipe GOTS Approaches Establish vulnerability management standards Encourage product vendors (i.e. Microsoft, Sun, Oracle, Red Hat etc.) to provide direct support in the form of security guidance/content. Additional Security Content Automation Program Objectives

Slide21: 

Introductory Benefits Federal Agencies Automation of technical control compliance (FISMA) Ability of agencies to specify how systems are to be secured Ability to measure security using standardized methods COTS Tool Vendors – Vendors compete on quality of tool, not the checking content Provision of an enhanced IT security data repository No cost and license free Standards based: CVE/OVAL/XCCDF/CVSS/CCE Cover both software flaw and configuration issues Elimination of duplication of effort/Cost reduction through standardization

Slide22: 

Common FISMA Statements While FISMA compliance is important, it can be complex and demanding. 'Can parts of FISMA compliance be streamlined and automated'? 'My organization spends more money on compliance than remediation'.

Slide23: 

Fundamental FISMA Questions What are the NIST Technical Security Controls? What are the Specific NIST recommended settings for individual technical controls? Am I compliant to NIST Recs andamp; Can I use my COTS Product? How do I implement the recommended setting for technical controls? Can I use my COTS Product? Will I be audited against the same criteria I used to secure my systems?

Slide24: 

FISMA Documents What are the NIST Technical Security Controls? What are the Specific NIST recommended settings for individual technical controls? Am I compliant to NIST Recs andamp; Can I use my COTS Product? How do I implement the recommended setting for technical controls? Can I use my COTS Product? Will I be audited against the same criteria I used to secure my systems? SP 800-53A / SP 800-26 / SP 800-37 Security Control Assessment SP 800-53 / FIPS 200 / SP 800-30 Security Control Refinement

Slide25: 

Automation of FISMA Technical Controls What are the NIST Technical Security Controls? What are the Specific NIST recommended settings for individual technical controls? Am I compliant to NIST Recs andamp; Can I use my COTS Product? How do I implement the recommended setting for technical controls? Can I use my COTS Product? Will I be audited against the same criteria I used to secure my systems? NVD COTS Tools

Slide26: 

Number of Controls with Automated Validation Support Full Automation: 31 (19%) Partial Automation: 39 (24%) Cyber Security Assessment and Mgmt Full Automation 21 (13%) Partial Automation 28 (17%) Total Controls 163 (100%) Future Automation Techniques 44 (27%) or No Automation Machine-readable Security Report Formats Security Content Automation Program

Slide27: 

Inside The Numbers Importance/Priority Securely configuring an IT system is of great importance. Complexity of Implementation Provide Common Framework Some controls require system-specific technical knowledge not always available in personnel. Labor Some Controls (i.e. AC-3, CM-6, etc.) require thousands of specific checks to ensure compliance.

On the Schedule: 

On the Schedule Content for Platforms and Applications Under Development * Windows Vista (Profiles: Microsoft, Air Force, NIST) * Windows XP Professional (Profiles: DISA, NSA, NIST/FISMA) * Windows 2003 (Profiles: DISA, NSA, NIST/FISMA, Microsoft) Desktop Applications: IE 6.0, IE 7.0, Netscape, Firefox, Office 2000, Office 2003, Office 2007, Office XP, JVM, Adobe Reader/Acrobat, Flash, .Net Framework. Red Hat Linux (Profiles: Vendor and DISA) Content Scheduled Platforms and Applications Under Development Web Servers IIS 5, IIS 6 * = Some beta content is available

Mappings To Policy & Identifiers: 

Mappings To Policy andamp; Identifiers FISMA Security Controls (All 17 Families and 163 controls for reporting reasons) DoD IA Controls CCE Identifiers (configuration issues) CVE Identifiers (software flaw issues) CVSS Scoring System (vulnerability impact) DISA Vulnerability Management System Gold Disk NSA References Vendor References etc.

NIST Publications: 

NIST Publications NIST Checklist Publication (Revised Special Publication 800-70) NIST IR – National Security Automation Program NIST IR 7275 – XCCDF version 1.1.2 (Draft Posted)

Outline: 

Outline Security Content Automation Program Objectives and Benefits FISMA and DOD Compliance Automation How and why Enabling Automation Through Integration of Government and Industry Programs Technical Approach Status

The Compliance Game: 

Finite Set of Possible Known IT Risk Controls andamp; Application Configuration Options FISMA The Compliance Game HIPAA SOX GLB INTEL COMSEC ‘97 DoD ISO Vendor SP 800-53 ??? ??? ??? DCID NSA Req DISA STIGs 17799 Guide SP 800-68 Checklists 3rd Party Guide ??? NSA Guides ??? Agency Tailoring Mgmt, Operational, Technical Risk Controls Windows XP SP1 SP2 Enterprise Mobile Stand Alone SSLF High Moderate Low OS or Application Version/ Role Major Patch Level Environment Impact Rating or MAC/CONF Millions of Settings to manage across the Agency Every high level policy should ultimately map to low level settings

XML Made Simple: 

XML Made Simple XCCDF - eXtensible Car Care Description Format OVAL – Open Vehicle Assessment Language andlt;Carandgt; andlt;Descriptionandgt; andlt;Yearandgt; 1997 andlt;/Yearandgt; andlt;Makeandgt; Ford andlt;/Makeandgt; andlt;Modelandgt; Contour andlt;/Modelandgt; andlt;Maintenanceandgt; andlt;Check1andgt; Gas Cap = On andlt;andgt; andlt;Check2andgt;Oil Level = Full andlt;andgt; andlt;/Maintenanceandgt; andlt;/Descriptionandgt; andlt;/Carandgt; andlt;Checksandgt; andlt;Check1andgt; andlt;Locationandgt; Side of Car andlt;andgt; andlt;Procedureandgt; Turn andlt;andgt; andlt;/Check1andgt; andlt;Check2andgt; andlt;Locationandgt; Hood andlt;andgt; andlt;/Procedureandgt; … andlt;andgt; andlt;/Check2andgt; andlt;/Checksandgt;

XCCDF & OVAL Made Simple: 

XCCDF andamp; OVAL Made Simple XCCDF - eXtensible Checklist Configuration Description Format OVAL – Open Vulnerability Assessment Language andlt;Document IDandgt; NIST SP 800-68 andlt;Dateandgt; 04/22/06 andlt;/Dateandgt; andlt;Versionandgt; 1 andlt;/Versionandgt; andlt;Revisionandgt; 2 andlt;/Revisionandgt; andlt;Platformandgt; Windows XP andlt;Check1andgt; Password andgt;= 8 andlt;andgt; andlt;Check2andgt; FIPS Compliant andlt;andgt; andlt;/Maintenanceandgt; andlt;/Descriptionandgt; andlt;/Carandgt; andlt;Checksandgt; andlt;Check1andgt; andlt;Registry Checkandgt; … andlt;andgt; andlt;Valueandgt; 8 andlt;/Valueandgt; andlt;/Check1andgt; andlt;Check2andgt; andlt;File Versionandgt; … andlt;andgt; andlt;Valueandgt; 1.0.12.4 andlt;/Valueandgt; andlt;/Check2andgt; andlt;/Checksandgt;

Application to Automated ComplianceThe Connected Path: 

Application to Automated Compliance The Connected Path 800-53 Security Control 800-68 Security Guidance NSAP Produced Security Guidance in XML Format COTS Tool Ingest API Call Result

Application to Automated Compliance: 

RegQueryValue (lpHKey, path, value, sKey, Value, Op); If (Op == ‘andgt;' ) if ((sKey andlt; Value ) return (1); else return (0); Application to Automated Compliance Result AC-7 Unsuccessful Login Attempts AC-7: Account Lockout Duration AC-7: Account Lockout Threshold - andlt;registry_test id='wrt-9999' comment='Account Lockout Duration Set to 5' check='at least 5'andgt; - andlt;objectandgt;   andlt;hiveandgt;HKEY_LOCAL_MACHINEandlt;/hiveandgt;   andlt;keyandgt;Software\Microsoft\Windowsandlt;/keyandgt;   andlt;nameandgt;AccountLockoutDurationandlt;/nameandgt;   andlt;/objectandgt; - andlt;data operation='AND'andgt;   andlt;value operator='greater than'andgt;5*andlt;/valueandgt; lpHKey = 'HKEY_LOCAL_MACHINE' Path = 'Software\Microsoft\Windows\' Value = '5' sKey = 'AccountLockoutDuration' Op = 'andgt;' 800-53 Security Control DISA STIG 800-68 Security Guidance DISA Checklist NSA Guide NSAP Produced Security Guidance in XML Format COTS Tool Ingest API Call

Security Measurement: 

Security Measurement How secure is my computer? Measure security of the configuration Measure conformance to recommended application and OS security settings Measure the presence of security software (firewalls, antivirus…) Measure presence of vulnerabilities (needed patches) How well have I implemented the FISMA requirements (NIST SP800-53 technical controls)? Measure deviation from requirements Measure risk to the agency

Setting Ground Truth/Defining Security: 

For each OS/application Setting Ground Truth/Defining Security Required technical security controls Low Level Checking Specification Security Specifications for Platforms And Application Vulnerabilities Required Configurations Necessary Security Tools List of all known vulnerabilities Secure Configuration Guidance

Automated Security Measurement System: 

Automated Security Measurement System Automated Measurement System Definition of What it means to Be Secure FISMA Security Requirements Vulnerability Checking Tools Deviation from Requirements Impact to the System Impact to the Agency Impact Scoring System Organizational Impact Rating

Configuration Guidance in the Context of 800-53/FIPS 199: 

Configuration Guidance in the Context of 800-53/FIPS 199 800-53, Appendix D specifies security control applicability according to High, Moderate, and Low impact rating of an IT System. 800-68 provides specific configuration information according to environment (Standalone, Enterprise, SSLF, and Legacy) The NIST XML specifies the applicable 800-68 security settings according to the 800-53 guidelines. EXAMPLE: AC-12 (session termination) is applicable for IT systems with either moderate or high impact rating, but not for system rated at a low. The XCCDF profile for High and Moderate systems enables the group for AC-12 rule execution, but disables the group for low system. The XCCDF rules ‘refer’ to the appropriate OVAL definitions in the companion OVAL file (named: WindowsXP-SP800-68.xml)

Outline: 

Outline Security Content Automation Program Objectives and Benefits FISMA and DOD Compliance Automation How and why Enabling Automation Through Integration of Government and Industry Programs Technical Approach Status

Slide42: 

Security Content Automation Program (SCAP) Status NIST,DISA,NSA Security Automation Conference September 2006 250+ attendees Keynote addresses by DISA CIAO Richard Hale, DOJ CISO Dennis Heretick, and NSA’s Chief IAD Tony Sager) SCAP Beta Web Site / Repository Deployed on October 20th. http://nvd.nist.gov/scap/scap.cfm

Slide43: 

SCAP Tool Vendor Adoption Tool Vendor Adoption of SCAP ThreatGuard (free!!) Secure Elements Tenable Nessus (under development) Asserted Statements of Compliance to SCAP Symantec (not received) McAfee (not received) ASG (received) ManTech (evaluating) CSC (evaluating)

Beta Security Automation Files Available: 

Beta Security Automation Files Available Windows Vista Misconfigurations DISA/NSA/NIST, Microsoft, Air Force policies Windows XP Misconfigurations/Software flaws NIST FISMA and DISA policies (SP 800-68 / Gold Disk) Windows Server 2003 Misconfigurations/Software flaws Microsoft and NIST FISMA policies Red Hat Enterprise Linux Software flaws Many more under development!!

Outline: 

Outline Security Content Automation Program Objectives and Benefits FISMA and DOD Compliance Automation How and why Enabling Automation Through Integration of Government and Industry Programs Technical Approach Status

Combining Existing Initiatives: 

Combining Existing Initiatives DISA STIG andamp; Checklist Content Gold Disk andamp; VMS Research FIRST Common Vulnerability Scoring System (CVSS) MITRE Common Vulnerability Enumeration (CVE) Common Configuration Enumeration (CCE) Open Vulnerability andamp; Assessment Language (OVAL) NIST National Vulnerability Database Checklist Program Security Content Automation Program NSA Extensible Configuration Checklist Description Format (XCCDF) Security Guidance andamp; Content

Existing NIST Products: 

Existing NIST Products National Vulnerability Database 2.5 million hits per month 16 new vulnerabilities per day Integrated standards: Checklist Program 115 separate guidance documents Covers 140 IT products 244 products 22 vendors 8 vendors 24 products

National Vulnerability Database: 

National Vulnerability Database NVD is a comprehensive cyber security vulnerability database that: Integrates all publicly available U.S. Government vulnerability resources Provides references to industry resources. It is based on and synchronized with the CVE vulnerability naming standard. XML feed for all CVEs http://nvd.nist.gov

NIST Checklist Program: 

NIST Checklist Program In response to NIST being named in the Cyber Security Randamp;D Act of 2002. Encourage Vendor Development and Maintenance of Security Guidance. Currently Hosts 115 separate guidance documents for over 140 IT products. In English Prose and automation-enabling formats (i.e. .inf files, scripts, etc.) Need to provide configuration data in standard, consumable format. http://checklists.nist.gov

eXtensible Configuration Checklist Description Format: 

eXtensible Configuration Checklist Description Format Developed by the NSA Designed to support: Information Interchange Document Generation Organizational and Situational Tailoring Automated Compliance Testing and Scoring Published as NIST IR 7275 Foster more widespread application of good security practices http://nvd.nist.gov/scap/xccdf/xccdf.cfm

Slide51: 

Involved Organizations Standards Integration Projects IT Security Vendors Press releases From large Security Vendors Forthcoming

Slide52: 

Standards Integration Projects We couple patches and configuration checking Configuration Software Flaws/ Patches

Slide53: 

Questions? Peter Mell (NVD / SCAP) Stephen Quinn (SCAP / NIST Checklist Program) Computer Security Division NIST, Information Technology Laboratory mell@nist.gov, stquinn@nist.gov

authorStream Live Help