The SecInfo Management offers central access to different information relating to IT-Security. This includes the following information:
The CVEs, CPEs and OVAL definitions are published and made accessible by NIST as part of the National Vulnerability Database (NVD) (see also section Security Content Automation Protocol (SCAP)).
To get a quick overview over this information the Secinfo dashboard (see figure The SecInfo Dashboard allows displaying data graphically.) exists. It allows for the graphical display of different information grouped by different aspects.
SecInfo Data is being provided by Greenbone Networks online as well. This portal can be accessed directly through the Internet. It corresponds to data that can be displayed in the GSM as well. The SecInfo Portal is a GSM ONE that has been configured especially for anonymous guest access. Contrary to a full-fledged GSM only the SecInfo management and the CVSS online calculator are available for the guest user.
The SecInfo portal achieves a multitude of functions:
Such access can be provided yourself by activating guest access (see section Guest Log in)
The abbreviation NVT stands for Network Vulnerability Test. These are test routines the GSM utilizes and that are updated regularly with the Greenbone Security Feed. Here you can find information when the test was developed, which systems are affected, what impact the vulnerabilities have and how they can be remediated.
With the introduction of the QoD the parameter
Paranoid in the scan configuration (see chapter Scan Configuration) is being removed without replacement.
In the past a scan configuration without this parameter only used NVTs with a QoD of a minimum of 70%.
Only with this parameter all NVTs were used.
Now all NVTs are being used and executed in a scan configuration.
The filtering of the results is done on based on QoD.
That way all the results are always available in the database and can be turned on or off respectively.
The National Institute of Standards and Technology (NIST) in the USA provides the National Vulnerability Database (NVD). NVD is a data repository for the vulnerability management of the US government. The goal is the standardized provision of the data for the automated processing and support for the function of vulnerability management and the implementation of compliance guide lines. The NVD provide different databases. They include
For this the NVD utilizes the Security Content Automation Protocol (SCAP). The Security Content Automation Protocol is a combination of different interoperable standards. Many standards were developed or derived from public discussion. The public participation of the community in the development is an important aspect for accepting and spreading of the SCAP standards. The SCAP protocol is currently specified in version 1.2 and includes the following components:
OVAL, CCE, CPE and CVE are trademarks of NIST.
The Greenbone vulnerability scanner uses the OVAL standard, CVE, CPE and CVSS. By utilizing these standards the interoperability with other systems is guaranteed. These standards also allow comparing of the results.
Vulnerability scanners such as the Greenbone Security Manager can be validated by NIST respectively. The Greenbone Security Manager has been validated with respect to SCAP version 1.0.
Following, the standards utilized by the Greenbone Security Manager are being covered in more detail.
Due to the fact that in the past often multiple organizations discovered and reported vulnerabilities at the same time and assigned them different names, communication and comparison of the results was not easy. Different scanners reported the same vulnerability under different names. As a matter of fact instead of two different vulnerabilities it was actually the same vulnerability.
To address this, MITRE , sponsored by the US-CERT, founded the CVE project in 1999. Every vulnerability is assigned a unique identifier consisting of the year and a simple number. This number then serves as central reference.
The CVE database of MITRE is not a vulnerability database. CVE was developed in order to connect the vulnerability database and other systems with each other. This allows for the comparison of security tools and services. This is why the CVE database does not contain any information regarding risk, impact or remediation of the vulnerability. Detailed technical information is also not included. A CVE only contains the identification number with status, a short description and references to reports and advisories.
The National Vulnerability Database (NVD) refers to MITRE’s CVE database and supplements this information with information in regards to remediation of the vulnerability, the severity, affected products and possible impact. Greenbone refers to the CVE database of the NVD so that information is included. At the same time does the GSM combine the information with the NVTs and the CERT-Bund and DFN-CERT advisories.
This information can be displayed comfortably in the web interface.
The abbreviation CPE stands for Common Platform Enumeration, modelled after CVE and started by MITRE as well, as an industry standard for a common naming convention for information technology systems. Hereby common naming exists for operating systems and applications allowing for global referencing.
Originally the Common Platform Enumeration (CPE) was initiated by MITRE. Today the CPE standard is maintained by the US American National Institute for Standards and Technology NIST as part f the National Vulnerability Database (NVD). NIST already had maintained the official CPE dictionary and the CPE specifications for many years. CPE is a structured naming schema for applications, operating systems and hardware devices. It is based on the generic syntax of the Uniform Resource Identifier (URI).
Due to the fact that the CPE standard is closely tied to the CVE standard, their combination allows for conclusion of existing vulnerabilities when discovering a platform or product.
CPE is composed of the following components:
The Open Vulnerability and Assessment Language is also a Mitre project.
It is a language to describe vulnerabilities, configuration settings (compliance), patches and applications (inventory).
The XML based definitions allow for simple processing by automated systems.
As such the OVAL definition
oval:org.mitre.oval:def:22127 of the inventory class describes the Adobe Flash Player 12 while the OVAL definition
oval:org.mitre.oval:def:22272 describes a vulnerability of Google Chrome under Windows.
These OVAL definitions are created made available in XML and describe the discovery of individual systems and vulnerabilities. The above mentioned OVAL definition 22272 has the following structure:
<definition id="oval:org.mitre.oval:def:22272" version="4" class="vulnerability"> <metadata> <title>Vulnerability in Google Chrome before 32.0.1700.76 on Windows allows attackers to trigger a sync with an arbitrary Google account by leveraging improper handling of the closing of an untrusted signin confirm dialog</title> <affected family="windows"> <platform>Microsoft Windows 2000</platform> <platform>Microsoft Windows XP</platform> <platform>Microsoft Windows Server 2003</platform> <platform>Microsoft Windows Server 2008</platform> <platform>Microsoft Windows Server 2008 R2</platform> <platform>Microsoft Windows Vista</platform> <platform>Microsoft Windows 7</platform> <platform>Microsoft Windows 8</platform> <platform>Microsoft Windows 8.1</platform> <platform>Microsoft Windows Server 2012</platform> <platform>Microsoft Windows Server 2012 R2</platform> <product>Google Chrome</product> </affected> <reference source="CVE" ref_id="CVE-2013-6643" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6643"/> <description>The OneClickSigninBubbleView::WindowClosing function in browser/ui/views/sync/one_click_signin_bubble_view.cc in Google Chrome before 32.0.1700.76 on Windows and before 32.0.1700.77 on Mac OS X and Linux allows attackers to trigger a sync with an arbitrary Google account by leveraging improper handling of the closing of an untrusted signin confirm dialog.</description> <oval_repository> <dates> <submitted date="2014-02-03T12:56:06"> <contributor organization="ALTX-SOFT">Maria Kedovskaya</contributor> </submitted> <status_change date="2014-02-04T12:25:48.757-05:00">DRAFT</status_change> <status_change date="2014-02-24T04:03:01.652-05:00">INTERIM</status_change> <status_change date="2014-03-17T04:00:17.615-04:00">ACCEPTED</status_change> </dates> <status>ACCEPTED</status> </oval_repository> </metadata> <criteria> <extend_definition comment="Google Chrome is installed" definition_ref="oval:org.mitre.oval:def:11914"/> <criteria operator="AND" comment="Affected versions of Google Chrome"> <criterion comment="Check if the version of Google Chrome is greater than or equals to 32.0.1651.2" test_ref="oval:org.mitre.oval:tst:100272"/> <criterion comment="Check if the version of Google Chrome is less than or equals to 32.0.1700.75" test_ref="oval:org.mitre.oval:tst:99783"/> </criteria> </criteria> </definition>
This information are being processed graphically by the web interface and presented easily readable (see figure OVAL describes the discovery of vulnerabilities.).
A big problem for regular administrators is the interpretation of vulnerability with their own environment. How critical does he have to rate a vulnerability? To support personnel that do not work with the analysis and rating of vulnerabilities constantly the Common Vulnerability Scoring System (CVSS) was invented. CVSS is an industry standard for the description of the severity of security risks in computer systems. In the CVSS security risks are rated and compared using different criteria. This allows for the creation of a priority list of counter measures.
The CVSS score is continuously improved upon. Currently in general the CVSS score version 2 is being used. Version 3 is being developed by the CVSS Special Interest Group (CVSS-SIG) of the Forum of Incident Response and Security Teams (FIRST).
The CVSS score in version 2 supports Base Score Metrics, Temporal Score Metrics and Environmental Score Metrics.
The Base Score Metrics in general test the exploitability of a vulnerability and their impact on the target system. Hereby access, complexity and requirement of authentication are rated. At the same time they rate if the confidentiality, integrity or availability is threatened.
The Temporal Score Metrics test if completed example code exists, the vendor already supplied a patch and confirmed the vulnerability. The score will be changing drastically in the course of time.
The Environmental Score Metrics review if control damage has to be suspected, the target distribution, and if confidentiality, integrity of availability is required. This assessment is strongly depended on the environment in which the vulnerable product is being used.
Since the Base Score Metrics are merely meaningful in general and can be determined permanently the GSM provides them as part of the SecInfo data.
Hereby the following formula is being used and can be calculated with the CVSS calculator of the GSM as well (Extras/CVSS-Calculator, see figure The CVSS calculator allows for the calculation of scores conveniently.).
Hereby the impact is calculated as follows:
The exploitability is calculated as:
The function is 0, if the impact is 0. In all other cases the value is 1.176. The other values are constants:
While the individual NVTs, CVEs, CPEs and OVAL definitions are being created primarily for processing by computer systems, the DFN-CERT publishes, like many other Computer Emergency Report Teams (CERTs), new advisories regularly. The DFN-CERT is responsible for hundreds of universities and research institutions that are associated with the German Research Network (German: Deutsches Forschungsnetz, abbreviated as DFN). An Advisory describes especially critical security risks that require fast reacting. These are being obtained by the GSM as well and stored to the database for reference. They can be displayed directly as well.
CERT-Bund offers a warning and information service (German: Warn- und Informationsdienst, abbreviated as WID). Currently this service offers two different types of Information (Excerpt from the website https://www.cert-bund.de/):
The Greenbone Security Feed contains the CERT-Bund Short Information.
They can be identified by the K in the message (
|||MITRE (Massachusetts Institute of Technology Research & Engineering) Corporation is an organization for the management of research institutions for the United States government that was formed by splitting off from the Massachusetts Institute of Technology (MIT).|