security advisories – sources and examples presented by srujan baddam
TRANSCRIPT
Security Advisories – Security Advisories – Sources and Sources and
examplesexamples
Presented by Presented by
Srujan BaddamSrujan Baddam
OutlineOutline
IntroductionIntroduction Scorecard approachScorecard approach Goal-Question Metric (GQM)
Technique Examples Conclusions
IntroductionIntroduction A security advisory is a formal message issued by
a vendor or a third party to alert a product’s user community about security problems associated with the product and to provide information about how to avoid, minimize, or recover from any damage.
Vulnerability disclosure Assigning security rating to security advisories Security advisories don’t help user and system
administrators effectively manage and assess the impact of vulnerability disclosures.
Here comes the scorecard approach.
Scorecard ApproachScorecard Approach
The main goal is to help users and system administrators efficiently manage and assess the impact of vulnerability disclosures, which is based on the Goal-Question-Metric technique.
It is designed to let users record useful information and security response centers publish advisories in a way that will help the community respond more efficiently.
The [un]readability of security The [un]readability of security bulletinsbulletins
The [un]readability of security The [un]readability of security bulletins (Contd..)bulletins (Contd..)
The survey of various security bulletin boards shows that each has a completely different view about what to publish, what information to include, and how to organize the data.
Similar values at the various bulletin boards for specific vendors have been recorded: an average of 45 for Cisco, 72 for Microsoft, and 44 for FreeBSD for each of the past three years. For general, non-vendor-specific informational postings, we recorded 37 advisories for CERT, 734 for Australian CERT (Aus Cert), 56 for Symantec, and 1,568 for CVE
The unexpectedly high difference between these numbers indicate that there is no clear rule on what is considered as a security advisory.
A metrics-based scorecard
The vendor’s bulletin boards do not provide a The vendor’s bulletin boards do not provide a practical guide on how to read, evaluate and practical guide on how to read, evaluate and handle a security advisory which can mislead the handle a security advisory which can mislead the user communities.user communities.
The scorecard approach provides a solution for The scorecard approach provides a solution for this problem by defining the series of metrics.this problem by defining the series of metrics.
It contains 9 categories of metrics ,ordered by It contains 9 categories of metrics ,ordered by their evaluation sequence, and gives a complete their evaluation sequence, and gives a complete picture of both the vulnerability and relevant risk.picture of both the vulnerability and relevant risk.
Metrics based Scorecard Metrics based Scorecard contd..contd..
1.1. Vulnerability’s target:Vulnerability’s target:1.1. LogicalLogical2.2. PhysicalPhysical
2.2. Applicability-scopeApplicability-scope3.3. Exploitation preconditionsExploitation preconditions4.4. Organization factorsOrganization factors5.5. Exploitation impactExploitation impact6.6. Community impactCommunity impact7.7. Solution requirementsSolution requirements8.8. Solution impactSolution impact9.9. Conclusions impactConclusions impact
Action sequence for handling security advisories
A metrics-based scorecardcontd..
There are two phases in the metrics –based scorecard methodThere are two phases in the metrics –based scorecard method1.Assessment Phase1.Assessment Phase2.Implementation phase2.Implementation phaseAssessment phase has the following metricsAssessment phase has the following metrics1.Target1.Target Logical targets refer to informational and processing
resources. Physical targets refer to hardware, to local area network infrastructure or to the entire Internet infrastructure.
2.Applicability scope:2.Applicability scope: The applicability of a security advisory, depends on hardware The applicability of a security advisory, depends on hardware
type, OS, software installed and various configuration type, OS, software installed and various configuration settings. It is usually clearly indicated in the text provided by settings. It is usually clearly indicated in the text provided by the advisory. the advisory.
A metrics-based scorecardcontd..
3.Expliotation preconditions3.Expliotation preconditions The exploitation of a vulnerability is usually The exploitation of a vulnerability is usually
performed remotely, either location performed remotely, either location independently only within specific logical or independently only within specific logical or physical limits, such as an Intranet logical area, a physical limits, such as an Intranet logical area, a LAN or a switched LAN segment. In other cases LAN or a switched LAN segment. In other cases the exploitation may succeed only by normally the exploitation may succeed only by normally registered users or by physical access.registered users or by physical access.
4.Organization factors.4.Organization factors. These factors may considerably mitigate the These factors may considerably mitigate the
impact of a vulnerability, by providing the means impact of a vulnerability, by providing the means for better information dissemination and for better information dissemination and response procedures.response procedures.
A metrics-based scorecardcontd..
5.Exploitation Impact (Damage)5.Exploitation Impact (Damage) Exploitation Impact refers to the basic security Exploitation Impact refers to the basic security
properties, i.e. the availability, the integrity and the properties, i.e. the availability, the integrity and the confidentiality of the information and the confidentiality of the information and the infrastructure.infrastructure.
Exploitation may also result to unauthorized action Exploitation may also result to unauthorized action and system misuse, such as the code execution and the and system misuse, such as the code execution and the bypass of authentication and authorization controls.bypass of authentication and authorization controls.
In other cases the exploitation may provoke In other cases the exploitation may provoke spreading to neighbor systems, erroneous transmission spreading to neighbor systems, erroneous transmission (e.g. network disruption, traffic redirection, (e.g. network disruption, traffic redirection, transmission out-of-sequence) or physical damage.transmission out-of-sequence) or physical damage.
A metrics-based scorecardcontd..
6. Community Impact6. Community Impact Community Impact can be Community Impact can be
Financial loss, i.e. direct theft, down-time cost Financial loss, i.e. direct theft, down-time cost or restoration costor restoration cost
Loss of trust against the information system Loss of trust against the information system 7. Solution Requirements7. Solution Requirements The solution requirements focus on:The solution requirements focus on:
The solution implementation, such as patching The solution implementation, such as patching and configuring, according to the relevant and configuring, according to the relevant security advisoriessecurity advisories
Additional protection measures may be Additional protection measures may be required, such as the use of ACLs, an IDS, required, such as the use of ACLs, an IDS, firewalls, cryptography, VPNs and antivirus firewalls, cryptography, VPNs and antivirus applicationsapplications
A metrics-based scorecardcontd..
8.Solution Impact8.Solution Impact
The implementation of a proposed solution can The implementation of a proposed solution can have the following impacts:have the following impacts:
Cost in terms of money, labor time, system availability Cost in terms of money, labor time, system availability and organization functionality and organization functionality
The time margin to take action and according to the The time margin to take action and according to the severity of the impact it would be immediate, short-term severity of the impact it would be immediate, short-term or long-term.or long-term.
9.Conclusions Impact9.Conclusions Impact
The conclusions that will arise after the assessment The conclusions that will arise after the assessment and the implementation phases of a security and the implementation phases of a security advisory are either informational or indicating advisory are either informational or indicating further action.further action.
Goal-Question Metric Goal-Question Metric approachapproach
A multidimensional framework for describing, implementing and managing strategy at all levels of an organization.
It is a common analysis tool in software engineering and quality management.
The GQM user sets an objective goal that can’t be directly interpreted, but rather is described by a series of questions. Each question is answered, in turn, by a series of metrics, which are either quantitative (obtain absolute values) or qualitative (answered by subjective judgments or comparable values).
Goal-Question Metric approach Goal-Question Metric approach (Contd..)(Contd..)
The goal has four parts:The goal has four parts: An issue relates to a security parameter (such as the
impact) A reference object is the source of the analysis A perspective establishes how to interpret the issue—in
terms of its impact on a service, process, system An intention determines how to evaluate or change the
object’s parameter (assess, test)
Example- Example- http://www.microsoft.com/technet/security/bulletin/MS02-030http://www.microsoft.com/technet/security/bulletin/MS02-030.mspx.mspx
ConclusionsConclusions
A way to improve handling and reporting A way to improve handling and reporting security advisories is proposed.security advisories is proposed.
A homogenized and stable security A homogenized and stable security advisory publication scheme (using a advisory publication scheme (using a common XML format) can be evolved by common XML format) can be evolved by the response centers and vendors.the response centers and vendors.
ReferencesReferences1.1. Arbaugh W., Fithen W., McHugh J., “Windows of Vulnerability: A Arbaugh W., Fithen W., McHugh J., “Windows of Vulnerability: A
Case Study Analysis”, Case Study Analysis”, IEEE ComputerIEEE Computer, Vol. 33, No. 12, pp. 52-59, , Vol. 33, No. 12, pp. 52-59, 2000 2000
2.2. Gritzalis S., “Information Systems Security in Distributed Gritzalis S., “Information Systems Security in Distributed Environments”, Ph.D. Thesis, National and Kapodistrian Environments”, Ph.D. Thesis, National and Kapodistrian University of Athens, May 1998 University of Athens, May 1998
3.3. Lindqvist U. and Jonsson E., “How to Systematically Classify Lindqvist U. and Jonsson E., “How to Systematically Classify Computer Security Intrusions”, In Proceedings of Computer Security Intrusions”, In Proceedings of the 1997 IEEE the 1997 IEEE Symposium on Security & PrivacySymposium on Security & Privacy, pp.154-163, May 4-7, 1997. , pp.154-163, May 4-7, 1997.
4.4. Howard J., Longstaff T., “A Common Language for Computer Howard J., Longstaff T., “A Common Language for Computer Security Incidents”, Sandia International Laboratories, Report Security Incidents”, Sandia International Laboratories, Report No. SAND98-8667, 1998No. SAND98-8667, 1998
5.5. Katsikas S., “Risk management of Information Systems”, In Katsikas S., “Risk management of Information Systems”, In Kiountouzis E. (Ed.) Kiountouzis E. (Ed.) Information Security: Technical, Legal and Information Security: Technical, Legal and Social issuesSocial issues, EPY editions, Athens, 1995 , EPY editions, Athens, 1995
6.6. Venter H., Eloff J., “A taxonomy for information security Venter H., Eloff J., “A taxonomy for information security technologies”, technologies”, Computers & Security,Computers & Security, Vol.22, No.4, Vol.22, No.4, pp.299-307, pp.299-307, May 2003 May 2003
7.7. http://www.syros.aegean.gr/users/lekkas/cve200_scoring2.htmhttp://www.syros.aegean.gr/users/lekkas/cve200_scoring2.htm
Thank youThank you