Re: [scap_interest] The Context Concept

Luis Nunez <> Tue, 21 February 2012 18:23 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2C69821F88BF for <>; Tue, 21 Feb 2012 10:23:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.598
X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id OhamTWxX15-G for <>; Tue, 21 Feb 2012 10:23:30 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id D309A21F88BC for <>; Tue, 21 Feb 2012 10:23:29 -0800 (PST)
Received: by yhkk25 with SMTP id k25so3506931yhk.31 for <>; Tue, 21 Feb 2012 10:23:28 -0800 (PST)
Received-SPF: pass ( domain of designates as permitted sender) client-ip=;
Authentication-Results:; spf=pass ( domain of designates as permitted sender)
Received: from ([]) by with SMTP id t30mr37064859yhd.101.1329848608904 (num_hops = 1); Tue, 21 Feb 2012 10:23:28 -0800 (PST)
Received: by with SMTP id t30mr28767525yhd.101.1329848608796; Tue, 21 Feb 2012 10:23:28 -0800 (PST)
Received: from [] ( []) by with ESMTPS id 6sm32993822anp.14.2012. (version=TLSv1/SSLv3 cipher=OTHER); Tue, 21 Feb 2012 10:23:28 -0800 (PST)
Mime-Version: 1.0 (Apple Message framework v1257)
Content-Type: multipart/alternative; boundary="Apple-Mail=_ACF3B984-10B7-4242-84C6-1A5A14CEA285"
From: Luis Nunez <>
In-Reply-To: <>
Date: Tue, 21 Feb 2012 13:23:23 -0500
Message-Id: <>
References: <> <>
To: "Chernin, Michael A." <mchernin@DTCC.COM>
X-Mailer: Apple Mail (2.1257)
X-Gm-Message-State: ALoCoQny2oAZIWJTIaoG6gG8VrDIfyOcBs0ONSyHZKYZymos5sJV5FSPGh/ZsHlB4MD7LMZwqK75
Cc: "" <>
Subject: Re: [scap_interest] The Context Concept
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Discussion List for IETFers interested in the Security Content Automation Protocol \(SCAP\)." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 21 Feb 2012 18:23:37 -0000

We also need to look at vulnerabilities as it applies an environment.  An inherent vulnerability may have differing levels of exposure depending on what, where and how the node is deployed. 

We maybe able to leverage Asset Identification (AI) to correlate what role the node is playing in the environment (endpoint, Server, Inter-networking Device,..) and determine level of exposure.  The level of risk could also be applied depending on where the node is situated.
	- Directly connected to internet.
	- DMZ controlled 
	- Internal Network
	- Secure enclave


On Feb 21, 2012, at 9:47 AM, Chernin, Michael A. wrote:

> I agree that when dealing with “threats” that context matters. However, vulnerabilities alone do not imply or guarantee there is an associated threat or risk.
> In my perfect world there would be a threat indicator standard that links to a structured threat standard that then could describe the CVEs used. This would allow us to continue doing vulnerability management by exposure (no threat context) or by specific threat (which provides context).
> Aharon
> DTCC Non-Confidential (White)
> ---------------------------------------------------
> Michael "Aharon" Chernin
> Security Automation Program Manager
> Corporate Information Security -Depository Trust & Clearing Corporation
> O: 813-470-2173
> From: [] On Behalf Of Jerome Athias
> Sent: Saturday, February 18, 2012 2:03 PM
> To:
> Subject: [scap_interest] The Context Concept
> In a private discussion I had at ToorCon 9, with Matt Miller (skape);
> we came to the conclusion that a key (and unresolved) point of automation is the (automatic) definition of the Context in which you are where dealing with a vulnerability (threat).
> It was also identified (validated?), and introduced by Druid.
> And then, the Druid's work was related (validated?) at FRHACK 01 by Rodrigo Branco (bsdaemon).
> Situation awareness ( should be taken into account.
> Maybe search for "military situational awareness".
> My 2 dirhams
> /JA
> _____________________________________________________________ 
> DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email._______________________________________________
> scap_interest mailing list