Re: [scap_interest] Gaps in Risk Management

Karen Scarfone <> Tue, 14 February 2012 20:57 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 10DCE21E8112 for <>; Tue, 14 Feb 2012 12:57:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -5.976
X-Spam-Status: No, score=-5.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id UFhHCdYUJU-3 for <>; Tue, 14 Feb 2012 12:57:20 -0800 (PST)
Received: from ( []) by (Postfix) with SMTP id 8EB9521E8103 for <>; Tue, 14 Feb 2012 12:57:19 -0800 (PST)
Received: from ([]) (using TLSv1) by ([]) with SMTP ID; Tue, 14 Feb 2012 12:57:19 PST
Received: by with SMTP id s15so385517lag.10 for <>; Tue, 14 Feb 2012 12:57:18 -0800 (PST)
MIME-Version: 1.0
Received: by with SMTP id tk9mr15755313lab.8.1329253038672; Tue, 14 Feb 2012 12:57:18 -0800 (PST)
Received: by with HTTP; Tue, 14 Feb 2012 12:57:18 -0800 (PST)
In-Reply-To: <>
References: <>
Date: Tue, 14 Feb 2012 15:57:18 -0500
Message-ID: <>
From: Karen Scarfone <>
To: Adam Montville <>
Content-Type: multipart/alternative; boundary=e89a8f2348ab2fcbf804b8f2d76d
X-Gm-Message-State: ALoCoQn6hKzSxacu0orTzEjXsFCVhQaHrlhtJFWOWaZ9KkViPOrltCktf1QvbzRFh/LqAwJICDLA
Cc: "" <>
Subject: Re: [scap_interest] Gaps in Risk Management
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Discussion List for IETFers interested in the Security Content Automation Protocol \(SCAP\)." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 14 Feb 2012 20:57:21 -0000

A few quick thoughts on this:

* We can't aggregate all these vulnerabilities unless we can model their
relationships. For example, a particular configuration setting might
nullify the applicability of a particular software flaw, and configuration
settings certainly affect each other.

* There's a whole other class of vulnerabilities besides software flaws and
configurations. Basically, any other vulnerability can be considered a
trust misuse/abuse vulnerability: social engineering and insider attacks,
for example. A risk management methodology that addresses software flaws
and misconfigurations is inadequate if it doesn't capture the other
vulnerabilities as well. We do have a spec, CMSS, designed to provide
scoring for these vulnerabilities just like CVSS does for software flaws
and CCSS does for misconfigurations. What we don't yet have is a (heaven
help me) dictionary or taxonomy of CMSS vulnerabilities. (Fortunately, I'd
expect this to be pretty small and straightforward to create, compared to
CVE and CCE).


On Tue, Feb 14, 2012 at 3:51 PM, Adam Montville <>wrote;wrote:

> All,
> Security automation seeks to automate what we can ultimately within the
> framework of risk management.  Scoring is not enough to measure risk.  What
> appears to be needed is a method by which we can automate risk measurement.
>  It would be interesting to discuss various ways in which such automation
> might be achieved along both qualitative and quantitative lines.
> The scoring methods we have in place today for vulnerabilities and
> configurations (CVSS and CCSS respectively) can measure risk of a
> particular instance of a class of concepts in our domain.  What I don't see
> being possible at this point is a way to measure the aggregate instances of
> vulnerabilities and misconfigurations for some set of assets (whether that
> be a single asset or a composite asset representing an entire network).
> Risk management methodologies are not scarce – NIST, ISO, CobiT, OCTAVE
> and others all present some method of managing risk, and they are similar.
>  How can we apply automation in support of these various risk management
> methods while providing both qualitative and quantitative risk assessment
> under the hood?
> Regards,
> Adam W. Montville | Security and Compliance Architect
> Direct: 503 276-7661
> Mobile: 360 471-7815
> _______________________________________________
> scap_interest mailing list

Karen Scarfone, Principal Consultant, Scarfone Cybersecurity   (703)401-1018