Re: [scap_interest] Gaps in Risk Management
Adam Montville <amontville@tripwire.com> Tue, 14 February 2012 21:07 UTC
Return-Path: <amontville@tripwire.com>
X-Original-To: scap_interest@ietfa.amsl.com
Delivered-To: scap_interest@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 276E721F85AF for <scap_interest@ietfa.amsl.com>; Tue, 14 Feb 2012 13:07:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.774
X-Spam-Level:
X-Spam-Status: No, score=-4.774 tagged_above=-999 required=5 tests=[AWL=-1.175, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jjRwXaJdcp0r for <scap_interest@ietfa.amsl.com>; Tue, 14 Feb 2012 13:07:44 -0800 (PST)
Received: from ch1outboundpool.messaging.microsoft.com (ch1ehsobe001.messaging.microsoft.com [216.32.181.181]) by ietfa.amsl.com (Postfix) with ESMTP id 229F221F85A7 for <scap_interest@ietf.org>; Tue, 14 Feb 2012 13:07:43 -0800 (PST)
Received: from mail25-ch1-R.bigfish.com (10.43.68.252) by CH1EHSOBE007.bigfish.com (10.43.70.57) with Microsoft SMTP Server id 14.1.225.23; Tue, 14 Feb 2012 21:07:39 +0000
Received: from mail25-ch1 (localhost [127.0.0.1]) by mail25-ch1-R.bigfish.com (Postfix) with ESMTP id 694734A0347; Tue, 14 Feb 2012 21:07:43 +0000 (UTC)
X-SpamScore: -34
X-BigFish: VPS-34(zz9371I9f17R98dKzz1202hzz1033IL8275bh8275dhz2dh2a8h668h839h946h)
X-Forefront-Antispam-Report: CIP:174.47.84.216; KIP:(null); UIP:(null); IPV:NLI; H:PDXHB01.tripwire.com; RD:174-47-84-216.static.twtelecom.net; EFVD:NLI
Received: from mail25-ch1 (localhost.localdomain [127.0.0.1]) by mail25-ch1 (MessageSwitch) id 132925366156212_22803; Tue, 14 Feb 2012 21:07:41 +0000 (UTC)
Received: from CH1EHSMHS017.bigfish.com (snatpool1.int.messaging.microsoft.com [10.43.68.249]) by mail25-ch1.bigfish.com (Postfix) with ESMTP id 01F8F24004A; Tue, 14 Feb 2012 21:07:41 +0000 (UTC)
Received: from PDXHB01.tripwire.com (174.47.84.216) by CH1EHSMHS017.bigfish.com (10.43.70.17) with Microsoft SMTP Server (TLS) id 14.1.225.23; Tue, 14 Feb 2012 21:07:36 +0000
Received: from PDXHB01.tripwire.com (172.30.0.53) by PDXED01.tripwire.com (192.168.192.5) with Microsoft SMTP Server (TLS) id 14.1.355.2; Tue, 14 Feb 2012 13:16:25 -0800
Received: from PDXMB02.tripwire.com ([fe80::f997:7b65:8e64:438e]) by PDXHB01.tripwire.com ([fe80::d495:98d2:7df4:2154%11]) with mapi id 14.01.0355.002; Tue, 14 Feb 2012 13:07:38 -0800
From: Adam Montville <amontville@tripwire.com>
To: Karen Scarfone <karen@scarfonecybersecurity.com>
Thread-Topic: [scap_interest] Gaps in Risk Management
Thread-Index: AQHM61pd/+qf+nsvQUKFi0HafiSh75Y9ZeAA//98xwA=
Date: Tue, 14 Feb 2012 21:07:37 +0000
Message-ID: <CB600AF7.91EC%amontville@tripwire.com>
In-Reply-To: <CAAfuYh-LaYmcWy9k0U=aCrfWET2BEp3aEuohp_he1emDZEKKXA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.14.0.111121
x-originating-ip: [172.16.97.166]
x-exclaimer-md-config: 79afcaa7-fdf4-4fa6-abe0-afeaa4640a4f
Content-Type: text/plain; charset="Windows-1252"
Content-ID: <EFB5A79C5755A146B1FFB9B993B9A365@tripwire.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: tripwire.com
Cc: "scap_interest@ietf.org" <scap_interest@ietf.org>
Subject: Re: [scap_interest] Gaps in Risk Management
X-BeenThere: scap_interest@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Discussion List for IETFers interested in the Security Content Automation Protocol \(SCAP\)." <scap_interest.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scap_interest>, <mailto:scap_interest-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/scap_interest>
List-Post: <mailto:scap_interest@ietf.org>
List-Help: <mailto:scap_interest-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scap_interest>, <mailto:scap_interest-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Feb 2012 21:07:47 -0000
Great points, Karen! These are issues that should be discussed. Maybe the end goal would be to get to an ability to represent risk, but the interim step is to more completely represent vulnerabilities and their relationships. Whatever we come up with for the automation piece should certainly feed into a larger risk management picture which could take into account the "human vulnerability" measurements. In other words, I believe that we can provide risk measurement in a modular way, where conveying misconfiguration risk would complement vulnerability risk, and vice versa, without necessarily requiring the other elements of risk management to be present – these would feed up into the risk management system. I could see vocabulary of relationships being established as part of closing these gaps. At the same time, we could be working to understand the variety of risk management frameworks that are out there and determine how to feed our data into those in an appropriate manner – this seems to imply a risk reporting effort of some kind. BTW, I wholeheartedly agree that relating configuration items to other configuration items is an issue that needs to be addressed. If we look at many control frameworks, we'll see some control with a derived requirement for "strong authentication." What does that mean for a Windows Server 2008 box managing users with user/pass credentials? We have to take into account not just password length, history, complexity and the like, but also account management settings (lockout, threshold and so on) and attack effectiveness as well (so it's not just relating configuration items to other configuration items). It becomes rather complicated. Adam From: Karen Scarfone <karen@scarfonecybersecurity.com<mailto:karen@scarfonecybersecurity.com>> Date: Tue, 14 Feb 2012 15:57:18 -0500 To: Adam Montville <amontville@tripwire.com<mailto:amontville@tripwire.com>> Cc: "scap_interest@ietf.org<mailto:scap_interest@ietf.org>" <scap_interest@ietf.org<mailto:scap_interest@ietf.org>> Subject: Re: [scap_interest] Gaps in Risk Management A few quick thoughts on this: * We can't aggregate all these vulnerabilities unless we can model their relationships. For example, a particular configuration setting might nullify the applicability of a particular software flaw, and configuration settings certainly affect each other. * There's a whole other class of vulnerabilities besides software flaws and configurations. Basically, any other vulnerability can be considered a trust misuse/abuse vulnerability: social engineering and insider attacks, for example. A risk management methodology that addresses software flaws and misconfigurations is inadequate if it doesn't capture the other vulnerabilities as well. We do have a spec, CMSS, designed to provide scoring for these vulnerabilities just like CVSS does for software flaws and CCSS does for misconfigurations. What we don't yet have is a (heaven help me) dictionary or taxonomy of CMSS vulnerabilities. (Fortunately, I'd expect this to be pretty small and straightforward to create, compared to CVE and CCE). Karen On Tue, Feb 14, 2012 at 3:51 PM, Adam Montville <amontville@tripwire.com<mailto:amontville@tripwire.com>> wrote: All, Security automation seeks to automate what we can ultimately within the framework of risk management. Scoring is not enough to measure risk. What appears to be needed is a method by which we can automate risk measurement. It would be interesting to discuss various ways in which such automation might be achieved along both qualitative and quantitative lines. The scoring methods we have in place today for vulnerabilities and configurations (CVSS and CCSS respectively) can measure risk of a particular instance of a class of concepts in our domain. What I don't see being possible at this point is a way to measure the aggregate instances of vulnerabilities and misconfigurations for some set of assets (whether that be a single asset or a composite asset representing an entire network). Risk management methodologies are not scarce – NIST, ISO, CobiT, OCTAVE and others all present some method of managing risk, and they are similar. How can we apply automation in support of these various risk management methods while providing both qualitative and quantitative risk assessment under the hood? Regards, Adam W. Montville | Security and Compliance Architect Direct: 503 276-7661 Mobile: 360 471-7815 TRIPWIRE | Take CONTROL http://www.tripwire.com _______________________________________________ scap_interest mailing list scap_interest@ietf.org<mailto:scap_interest@ietf.org> https://www.ietf.org/mailman/listinfo/scap_interest -- Karen Scarfone, Principal Consultant, Scarfone Cybersecurity karen@scarfonecybersecurity.com<mailto:karen@scarfonecybersecurity.com> (703)401-1018
- [scap_interest] Gaps in Risk Management Adam Montville
- Re: [scap_interest] Gaps in Risk Management Karen Scarfone
- Re: [scap_interest] Gaps in Risk Management Adam Montville
- Re: [scap_interest] Gaps in Risk Management Jerome Athias
- Re: [scap_interest] Gaps in Risk Management kathleen.moriarty
- Re: [scap_interest] Gaps in Risk Management Luis Nunez
- Re: [scap_interest] Gaps in Risk Management Adam Montville
- Re: [scap_interest] Gaps in Risk Management Lloyd, Mike