12. SecInfo Management

The SecInfo Management offers central access to different information relating to IT-Security. This includes the following information:

NVTs
These are the Network Vulnerability Tests. These tests test the target system for potential vulnerabilities.
CVEs
The Common Vulnerability and Exposures are vulnerabilities published by vendors and security researchers.
CPEs
The Common Platform Enumeration offers standardized names of the products that are being used information technology.
OVAL Definition
The Open Vulnerability Assessment Language offers a standardized language for the testing of vulnerabilities. OVAL definitions use this language to concretely discover vulnerabilities.
CERT-Bund Advisories
The CERT-Bund Advisories are published by the emergency response team of the Federal Office for Information Security (German: Bundesamt für Sicherheit in der Informationstechnik, abbreviated as BSI). The main task of the CERT-Bund is the operation of a warning and information service publishing information regarding new vulnerabilities and security risks as well as threats for IT systems.
DFN-CERT Advisories
The DFN-CERT is the emergency response team of the German Research Network (German: Deutsches Forschungsnetz, abbreviated as DFN).

The CVEs, CPEs and OVAL definitions are published and made accessible by NIST as part of the National Vulnerability Database (NVD) (see also section Security Content Automation Protocol (SCAP)).

Note

When the SCAP database and/or the CERT database are missing on the GMP server an error message is displayed.

In this case, the list on the according SecInfo list page is empty.

The SCAP data is updated during a SCAP data feed synchronization. The CERT data is updated during a CERT data feed synchronization. Most likely the data appears after the these synchronizations. Usually, it is taken care of by a periodic background process automatically.

_images/secinfo-dashboard.png

The SecInfo Dashboard allows displaying data graphically.

To get a quick overview over this information the Secinfo dashboard (see figure The SecInfo Dashboard allows displaying data graphically.) exists. It allows for the graphical display of different information grouped by different aspects.

12.1. SecInfo Portal

SecInfo Data is being provided by Greenbone Networks online as well. This portal can be accessed directly through the Internet. It corresponds to data that can be displayed in the GSM as well. The SecInfo Portal is a GSM ONE that has been configured especially for anonymous guest access. Contrary to a full-fledged GSM only the SecInfo management and the CVSS online calculator are available for the guest user.

The SecInfo portal achieves a multitude of functions:

  • Anonymous access to details of the Greenbone vulnerability tests as well as SCAP data (CVE, CPE, OVAL) and messages of different CERTs. The data itself is referenced thus offering the possibility to browse by Security-Information regarding a product, a vendor or a specific vulnerability.
  • Demo of the respective upcoming version of the Greenbone OS as soon as the SecInfo section reached beta status.
  • Service for embedded diagrams as they are used on the Greenbone website for feed statistics for example.
  • Service for direct links to details or specific selections, for example for a specific CVE (CVE-2014-0160, Heartbleed) or an overview: All published CVE notices in 2013.
  • Service for links to CVSS vulnerability rating including CVSS online calculator: AV:N/AC:L/Au:N/C:P/I:P/A:P
  • Example of how a GSM can be configured on an Intranet to allow direct links in internal reports and platforms.

Such access can be provided by activating guest access (see section Creating a Guest Login)

12.2. Network Vulnerability Tests (NVT)

NVT is short for Network Vulnerability Test. NVTs are test routines the GSM utilizes and that are updated with the Greenbone Security Feed regularly. Here information about when the test was developed, which systems are affected, what impact the vulnerabilities have and how they can be remediated can be found.

Compared to Greenbone OS 3.0 there are two new pieces of information, the Solution Type (see Solution Type) and the Quality of Detection (QoD, see Quality of Detection (QoD)).

With the introduction of the QoD, the parameter Paranoid in the scan configuration (see chapter Managing Scan Configurations) is removed without replacement. In the past a scan configuration without this parameter only used NVTs with a QoD of at least 70%. Now all NVTs are used and executed in a scan configuration. The filtering of the results is done based on QoD. That way all the results are always available in the database and can be turned on or off respectively.

All available NVTs can be displayed by selecting SecInfo > NVTs in the menu bar. By clicking on a NVT in the column Name the details page containing further information of the NVT is opened.

12.3. Security Content Automation Protocol (SCAP)

The National Institute of Standards and Technology (NIST) provides the National Vulnerability Database (NVD). NVD is a data repository for the vulnerability management of the US government. The goal is the standardized provision of the data for automated processing. By that, vulnerability management is supported and the implementation of compliance guidelines is verified. The NVD provides different databases including the following:

  • Checklists
  • Vulnerabilities
  • Misconfigurations
  • Products
  • Threat metrics

For this, the NVD utilizes the Security Content Automation Protocol (SCAP). SCAP is a combination of different interoperable standards. Many standards were developed or derived from public discussion. The public participation of the community in the development is an important aspect for accepting and spreading of the SCAP standards. The SCAP protocol is currently specified in version 1.2 and includes the following components:

  • Languages
    • XCCDF: The Extensible Configuration Checklist Description Format
    • OVAL: Open Vulnerability and Assessment Language
    • OCIL: Open Checklist Interactive Language
    • Asset Identification
    • ARF: Asset Reporting Format
  • Collections
    • CCE: Common Configuration Enumeration
    • CPE: Common Platform Enumeration
    • CVE: Common Vulnerabilities and Exposure
  • Metrics
    • CVSS: Common Vulnerability Scoring System
    • CCSS: Common Configuration Scoring System
  • Integrity
    • TMSAD: Trust Model for Security Automation Data

OVAL, CCE, CPE and CVE are trademarks of NIST.

The Greenbone Vulnerability Scanner uses OVAL, CVE, CPE and CVSS. By utilizing these standards the interoperability with other systems is guaranteed. The standards also allow comparing of the results.

Vulnerability scanners such as the Greenbone Security Manager can be validated by NIST respectively. The Greenbone Security Manager has been validated with respect to SCAP version 1.0.

12.3.1. CVE

In the past, multiple organizations often discovered and reported vulnerabilities at the same time and assigned them different names. Thus, different scanners reported the same vulnerability under different names which made communication and comparison of the results complicated.

To address this, MITRE, sponsored by the US-CERT, founded the CVE project in 1999. Every vulnerability is assigned a unique identifier consisting of the year and a simple number. This identifier then serves as a central reference.

The CVE database of MITRE is not a vulnerability database. CVE was developed in order to connect the vulnerability database and other systems with each other. This allows for the comparison of security tools and services.

The CVE database does not contain detailed technical information or any information regarding risk, impact or elimination of the vulnerability. A CVE only contains the identification number with the status, a short description and references to reports and advisories.

The NVD refers to the CVE database and complements the content with information regarding the elimination, severity, possible impact and affected products of the vulnerability. Greenbone Networks refers to the CVE database of the NVD. At the same time the Greenbone Security Manager combines the information with the NVTs and the CERT-Bund and DFN-CERT advisories.

All available CVEs can be displayed by selecting SecInfo > CVEs in the menu bar. By clicking on a CVE in the column Name the details page containing further information of the CVE is opened (see figure Details page of a CVE).

_images/cve.png

Details page of a CVE

12.3.2. CPE

CPE is short for Common Platform Enumeration and is modelled after CVE. It is a structured naming scheme for applications, operating systems and hardware devices. Thus, a common naming for global referencing exists.

CPE was initiated by MITRE. Today the CPE standard is maintained by NIST as a part of the NVD. NIST has already maintained the official CPE dictionary and the CPE specifications for many years. CPE is based on the generic syntax of the Uniform Resource Identifier (URI).

_images/cpe_name_structure_2000x1125.png

Name structure of a CPE name

Due to the fact that the CPE standard is closely tied to the CVE standard, their combination allows for conclusion of existing vulnerabilities when discovering a platform or product.

CPE is composed of the following components:

  • Naming
    The name specification describes the logical structure of well-formed names (WFNs), their binding to URIs and formatted character strings as well as their conversion.
  • Name Matching
    The name matching specification describes the methods to compare WFNs with each other. This allows for the testing whether some or all WFNs refer to the same product.
  • Dictionary
    The dictionary is a repository of CPE names and metadata. Every name defines a single class of an IT product. The dictionary specification describes the processes for the use of the dictionary, e.g. the search for a specific name or for entries belonging to a more general class.
  • Applicability Language
    The applicability language specification describes the creation of complex logical expressions with the help of the WFNs. These applicability statements can be used for the tagging of checklists, guidelines or other documents and so describe for which products these documents are relevant for.

All available CPEs can be displayed by selecting SecInfo > CPEs in the menu bar. By clicking on a CPE in the column Name the details page containing further information of the CPE is opened.

12.3.3. OVAL

The Open Vulnerability and Assessment Language is a MITRE project as well. It is a language to describe vulnerabilities, configuration settings (compliance), patches and applications (inventory). The XML based definitions allow for simple processing by automated systems. As such the OVAL definition oval:org.mitre.oval:def:22127 of the inventory class describes the Adobe Flash Player 12 while the OVAL definition oval:org.mitre.oval:def:22272 describes a vulnerability of Google Chrome under Windows.

These OVAL definitions are made available in XML and describe the discovery of individual systems and vulnerabilities. The OVAL definition 22272 mentioned above has the following structure:

<definition id="oval:org.mitre.oval:def:22272" version="4" class="vulnerability">
  <metadata>
    <title>Vulnerability in Google Chrome before 32.0.1700.76 on Windows allows
           attackers to trigger a sync with an arbitrary Google account by
           leveraging improper handling of the closing of an untrusted signin
           confirm dialog</title>
    <affected family="windows">
      <platform>Microsoft Windows 2000</platform>
      <platform>Microsoft Windows XP</platform>
      <platform>Microsoft Windows Server 2003</platform>
      <platform>Microsoft Windows Server 2008</platform>
      <platform>Microsoft Windows Server 2008 R2</platform>
      <platform>Microsoft Windows Vista</platform>
      <platform>Microsoft Windows 7</platform>
      <platform>Microsoft Windows 8</platform>
      <platform>Microsoft Windows 8.1</platform>
      <platform>Microsoft Windows Server 2012</platform>
      <platform>Microsoft Windows Server 2012 R2</platform>
      <product>Google Chrome</product>
    </affected>
    <reference source="CVE" ref_id="CVE-2013-6643"
     ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6643"/>
    <description>The OneClickSigninBubbleView::WindowClosing function in
      browser/ui/views/sync/one_click_signin_bubble_view.cc in Google
      Chrome before 32.0.1700.76 on Windows and before 32.0.1700.77 on Mac
      OS X and Linux allows attackers to trigger a sync with an arbitrary
      Google account by leveraging improper handling of the closing of an
      untrusted signin confirm dialog.</description>
    <oval_repository>
      <dates>
        <submitted date="2014-02-03T12:56:06">
          <contributor organization="ALTX-SOFT">Maria Kedovskaya</contributor>
        </submitted>
        <status_change date="2014-02-04T12:25:48.757-05:00">DRAFT</status_change>
        <status_change date="2014-02-24T04:03:01.652-05:00">INTERIM</status_change>
        <status_change date="2014-03-17T04:00:17.615-04:00">ACCEPTED</status_change>
      </dates>
      <status>ACCEPTED</status>
    </oval_repository>
  </metadata>
  <criteria>
    <extend_definition comment="Google Chrome is installed"
     definition_ref="oval:org.mitre.oval:def:11914"/>
    <criteria operator="AND" comment="Affected versions of Google Chrome">
      <criterion comment="Check if the version of Google Chrome is greater than
        or equals to  32.0.1651.2" test_ref="oval:org.mitre.oval:tst:100272"/>
      <criterion comment="Check if the version of Google Chrome is less than
        or equals to  32.0.1700.75" test_ref="oval:org.mitre.oval:tst:99783"/>
    </criteria>
  </criteria>
</definition>

This information is graphically processed by the web interface and presented easily readable (see figure Details page of an OVAL definition).

All available OVAL definitions can be displayed by selecting SecInfo > OVAL Definitions in the menu bar. By clicking on an OVAL definition in the column Name the details page containing further information of the OVAL definition is opened (see figure Details page of an OVAL definition).

_images/oval.png

Details page of an OVAL definition

12.3.4. CVSS

A large problem for administrators is the interpretation of a vulnerability within their own environment.

To support personnel that does not work with the analysis and rating of vulnerabilities constantly, the Common Vulnerability Scoring System (CVSS) was invented. CVSS is an industry standard for the description of the severity of security risks in computer systems. Security risks are rated and compared using different criteria. This allows for the creation of a priority list of counter measures.

The CVSS score is continuously improved. In general, the CVSS score version 2 is being used currently. Version 3 is being developed by the CVSS Special Interest Group (CVSS-SIG) of the Forum of Incident Response and Security Teams (FIRST).

The CVSS score in version 2 supports base score metrics, temporal score metrics and environmental score metrics.

The base score metrics test the exploitability of a vulnerability and their impact on the target system. Access, complexity and requirement of authentication are rated. At the same time, they rate if the confidentiality, integrity or availability is threatened.

The temporal score metrics test if completed example code exists, the vendor already supplied a patch and confirmed the vulnerability. The score will be changing drastically in the course of time.

The environmental score metrics review if control damage has to be suspected, the target distribution and if confidentiality, integrity of availability is required. This assessment strongly depends on the environment in which the vulnerable product is used.

Since the base score metrics are merely meaningful in general and can be determined permanently, the GSM provides them as part of the SecInfo data.

The CVSS calculator can be opened by selecting Extras > CVSS Calculator in the menu bar (see figure CVSS calculator for calculating scores conveniently).

_images/cvss.png

CVSS calculator for calculating scores conveniently

The following formula is being used and can be calculated with the CVSS calculator:

BaseScore = roundTo1Decimal( ( ( 0.6 * Impact ) +
            ( 0.4 * Exploitability ) - 1.5 ) * f( Impact ) )

Hereby the impact is calculated as follows:

Impact = 10.41 * (1 - (1 - ConfImpact) *
         (1 - IntegImpact) * (1 - AvailImpact))

The exploitability is calculated as:

Exploitability = 20 * AccessVector * AccessComplexity * Authentication

The function f( Impact ) is 0, if the impact is 0. In all other cases the value is 1.176. The other values are constants:

  • Access Vector
    • requires local access: 0.395
    • adjacent network accessible: 0.646
    • network accessible: 1.0
  • Access Complexity
    • high: 0.35
    • medium: 0.61
    • low: 0.71
  • Authentication
    • requires multiple instances of authentication: 0.45
    • requires single instance of authentication: 0.56
    • requires no authentication: 0.704
  • ConfImpact
    • none: 0.0
    • partial: 0.275
    • complete: 0.660
  • IntegImpact
    • none: 0.0
    • partial: 0.275
    • complete: 0.660
  • AvailImpact
    • none: 0.0
    • partial: 0.275
    • complete: 0.660

12.4. DFN-CERT

While the individual NVTs, CVEs, CPEs and OVAL definitions are created primarily to be processed by computer systems, the DFN-CERT publishes new advisories regularly.

The DFN-CERT is responsible for hundreds of universities and research institutions that are associated with the German Research Network (German: Deutsches Forschungsnetz, abbreviated as DFN). Additionally, it provides key security services to government and industry. An advisory describes especially critical security risks that require fast reacting. The DFN-CERT advisory service includes the categorization, distribution and rating of advisories issued by different software vendors and distributors. Advisories are obtained by the Greenbone Security Manager and stored in the database for reference.

All available DFN-CERT advisories can be displayed by selecting SecInfo > DFN-CERT Advisories in the menu bar. By clicking on a DFN-CERT advisory in the column Name the details page containing further information of the DFN-CERT advisory is opened.

12.5. CERT-Bund

CERT-Bund (Computer Emergency Response Team for federal agencies) is the central point of contact for preventive and reactive measures regarding security related computer incidents.

With the intention of avoiding harm and limiting potential damage, the work of CERT-Bund includes the following:

  • Creating ad publishing recommendations for preventive measures
  • Pointing out vulnerabilities in hardware and software products
  • Proposing measures to address known vulnerabilities
  • Supporting public agencies efforts to respond to IT security incidents
  • Recommending various mitigation measures

Additionally, CERT-Bund operates the German IT Situation Centre.

The services of CERT-Bund are primarily available to the federal authorities and include the following:

  • 24-hour on-call duty in cooperation with the IT Situation Centre
  • Analyzing incoming incident reports
  • Creating recommendations derived from incidents
  • Supporting federal authorities during IT security incidents
  • Operating a warning and information service
  • Active alerting of the federal administration in case of imminent danger

CERT-Bund offers a warning and information service (German: Warn- und Informationsdienst, abbreviated as “WID”). Currently this service offers two different types of information:

Advisories
This information service is only available to federal agencies as a closed list. The advisories describe current information about security critical incidents in computer systems and detailed measures to remediate security risks.
Short Information
Short information features the short description of current information regarding security risks and vulnerabilities. This information is not always verified and could under some circumstances be incomplete or even inaccurate.

The Greenbone Security Feed contains the CERT-Bund Short Information. They can be identified by the “K” in the message (CB-K14/1296).

All available CERT-Bund advisories can be displayed by selecting SecInfo > CERT-Bund Advisories in the menu bar. By clicking on a CERT-Bund advisory in the column Name the details page containing further information of the CERT-Bund advisory is opened.