 |
|||||
|
|
|
|||
|
|
 |
|
|
|
|
|
|
|||
|
|
|
|
|
|
|
|
|
|||
|
|
|
|
|
|
|
|
|
|||
|
|
|
|
|
|
|
|
|
|||
|
|
 |
|
|
|
|
|
|
|||
|
|||||
|
|||||
|
|||||
|
|
|
|||
|
|
|
|
||
|
|
|
|||
|
|||||
In our security bulletin of March 2007, we presented the various initiatives that exist regarding vulnerability naming: CVE, CME and CVSS at first (already adopted by the Cert-IST), but also OVAL, CPE and CWE.
In parallel to vulnerability management, other works concern the
configuration of devices and the impact of this configuration on the security
level of a system. The NIST (already initiator of many of these works) has in
particular published a report describing the standard measures for security configuration issues. This report, which
is up to now a "draft", is called "Common Configuration Scoring
System" (CCSS).
In fact, operating
systems and applications have different configuration settings that impact their
security level (security configuration
settings). CCSS aims at establishing a set of measures for security configuration issues and
giving them a score. These CCSS scores, derived from the CVSS (Common Vulnerability Scoring System) standard,
is designed for measuring the severity of a configuration issue.
In order to illustrate
the use of CCSS, we are going to take two examples from the NIST document, coming
from the CCE (Common
Configuration Enumeration) standard.
We remind that the CVSS score computation uses the following acronyms :
- AV : Access Vector
- AC : Access Complexity
- Au : Authentication
- C : Confidentiality Impact
- I : Integrity Impact
- A : Availability Impact
CCE-4675-5: This security option affects the kernel level auditing on Solaris 10 systems. Here are the values obtained for this option:
- Some event logged in kernel level auditing may be remotely triggered: AV:N
- The access complexity is low because no action is needed: AC: L
- No authentication is required to trigger the weakness : Au:N
- The failure to log a kernel level event has a partial impact on the integrity and no impact on confidentiality or availability: C:N/I:P/A:N
The CCSS base score
obtained is 5.0 - (AV:N/AC:L/Au:N/C:N/I:P/A:N).
CCE-3047-8: This security option regards the application management on Windows XP. This service may be enabled or disabled. If this service is disabled, but should be enabled, it prevents local users from installing and using new applications, which has a partial impact on availability. If this service is enabled, but should be disabled, it allows a local user to install or remove programs, which has a partial impact on integrity. In both cases, the weakness is exploitable locally, the access complexity is low and no authentication is required.
The CCSS base score
obtained is 2.1 - (AV:L/AC:L/Au:N/C:N/I:N/A:P for the first case,
AV:L/AC:L/Au:N/C:N/I:P/A:N for the second).
Nowadays, CCSS only
deals with base security configuration issues, e. g. not linked to the temporal
evolution and to the environment. The upcoming integration of these aspects
should enable CCSS to be used in organizations to set up risk assessment
processes and manage the security configuration of their systems.
The Cert-IST keeps on following
carefully the evolution of these initiatives in order to
evaluate the interest of their integration in its processes.
- NIST draft 7502:
http://csrc.nist.gov/publications/drafts/nistir-7502/Draft-NISTIR-7502.pdf - Article from the Cert-IST security bulletin (March 2007), called "Standards pour la gestion des vulnérabilités" (in French) : http://www.cert-ist.com/fra/ressources/Publications_ArticlesBulletins/Veilletechnologique/standards_gestion_vulnerabilites/