Guide to adopting and using the Security Content Automation Protocol (SCAP) version 1.0

Quinn, Stephen; Scarfone, Karen; Barrett, Matthew; Johnson, Christopher

doi:10.6028/nist.sp.800-117

Cited by 28 publications

(35 citation statements)

References 0 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Implication #2. Rule-based policies based on CVSS score, like the US Government NIST SCAP protocol [20], may not make for an effective strategy: only a negligible number of low-risk vulnerabilities are ruled out, even after controlling for "significant" vulnerabilities. Security policies may require a major adjustment to meet these observations.…”

Section: B Rule-based Policies For Risk Mitigation With Cvssmentioning

confidence: 99%

“…For example, the US Federal government with QTA0-08-HC-B-0003 reference notice specified that IT products to manage and assess the security of IT configurations must use the NIST certified S-CAP protocol [20], which explicitly says: "Organizations should use CVSS base scores to assist in prioritizing the remediation of known security-related software flaws based on the relative severity of the flaws." In other words, a rule-based policy is enforced: if the vulnerability is marked as "high risk" by the CVSS assessment, it must be fixed with high priority.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Comparing Vulnerability Severity and Exploits Using Case-Control Studies

Allodi

Massacci

2014

ACM Trans. Inf. Syst. Secur.

142

118

View full text Add to dashboard Cite

Abstract-(U.S) Rule-based policies to mitigate software risk suggest to use the CVSS score to measure the individual vulnerability risk and act accordingly: an HIGH CVSS score according to the NVD (National (U.S.) Vulnerability Database) is therefore translated into a "Yes". A key issue is whether such rule is economically sensible, in particular if reported vulnerabilities have been actually exploited in the wild, and whether the risk score do actually match the risk of actual exploitation.We compare the NVD dataset with two additional datasets, the EDB for the white market of vulnerabilities (such as those present in Metasploit), and the EKITS for the exploits traded in the black market. We benchmark them against Symantec's threat explorer dataset (SYM) of actual exploit in the wild. We analyze the whole spectrum of CVSS submetrics and use these characteristics to perform a case-controlled analysis of CVSS scores (similar to those used to link lung cancer and smoking) to test its reliability as a risk factor for actual exploitation.We conclude that (a) fixing just because a high CVSS score in NVD only yields negligible risk reduction, (b) the additional existence of proof of concepts exploits (e.g. in EDB) may yield some additional but not large risk reduction, (c) fixing in response to presence in black markets yields the equivalent risk reduction of wearing safety belt in cars (you might also die but still. . . ). On the negative side, our study shows that as industry we miss a metric with high specificity (ruling out vulns for which we shouldn't worry).

show abstract

Section: B Rule-based Policies For Risk Mitigation With Cvssmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Comparing Vulnerability Severity and Exploits Using Case-Control Studies

Allodi

Massacci

2014

ACM Trans. Inf. Syst. Secur.

142

118

View full text Add to dashboard Cite

show abstract

“…Several standards, among which the PCI-DSS [13] and NIST's SCAP [15] are notable examples, mandate the adoption of CVSS guidelines to guide vulnerability risk mitigation. For example, the PCI-DSS standard uses the concept of 'segmentation' to identify the scope of the compliance within an organization's network: vulnerable systems within the compliance scope are more critical than identical vulnerable systems outside the scope.…”

Section: Discussionmentioning

confidence: 99%

“…For example, different security tools output event logs and alarms following different structures, which may render the correlation between a firewall configuration and an IDS alarm hard to infer. The NIST's SCAP standard [15] aims at achieving this standardization, but its large scale adoption is currently unclear.…”

Section: Null Hypothesismentioning

confidence: 99%

Estimating the Assessment Difficulty of CVSS Environmental Metrics: An Experiment

Allodi

Biagioni

Crispo

et al. 2017

Future Data and Security Engineering

View full text Add to dashboard Cite

Abstract[Context] The CVSS framework provides several dimensions to score vulnerabilities. The environmental metrics allow security analysts to downgrade or upgrade vulnerability scores based on a company's computing environments and security requirements.[Question] How difficult is for a human assessor to change the CVSS environmental score due to changes in security requirements (let alone technical configurations) for PCI-DSS compliance for networks and systems vulnerabilities of different type? [Results] A controlled experiment with 29 MSc students shows that given a segmented network it is significantly more difficult to apply the CVSS scoring guidelines on security requirements with respect to a flat network layout, both before and after the network has been changed to meet the PCI-DSS security requirements. The network configuration also impact the correctness of vulnerabilities assessment at system level but not at application level.[Contribution] This paper is the first attempt to empirically investigate the guidelines for the CVSS environmental metrics. We discuss theoretical and practical key aspects needed to move forward vulnerability assessments for large scale systems.

show abstract

“…This work contributes new vulnerability metrics that can complement the Common Vulnerability Scoring System (CVSS), currently the main risk assessment metric for software vulnerabilities [148]. The CVSS score captures exploitability 54 Chapter 3.…”

Section: Improving Security Risk Assessmentmentioning

confidence: 99%

Defending against cybercrime: advances in the detection of malicious servers and the analysis of client-side vulnerabilities

Nappa¹

View full text Add to dashboard Cite

Resumen de la tesisEsta tesis se centra en el análisis de dos aspectos complementarios de la ciberdelincuencia (es decir, el crimen perpetrado a través de la red para ganar dinero). Estos dos aspectos son las máquinas infectadas utilizadas para obtener beneficios económicos de la delincuencia a través de diferentes acciones (como por ejemplo, clickfraud, DDoS, correo no deseado) y la infraestructura de servidores utilizados para gestionar estas máquinas (por ejemplo, C & C, servidores explotadores, servidores de monetización, redirectores).En la primera parte se investiga la exposición a las amenazas de los ordenadores victimas. Para realizar este análisis hemos utilizado los metadatos contenidos en WINE-BR conjunto de datos de Symantec. Este conjunto de datos contiene metadatos de instalación de ficheros ejecutables (por ejemplo, hash del fichero, su editor, fecha de instalación, nombre del fichero, la versión del fichero) proveniente de 8,4 millones de usuarios de Windows. Hemos asociado estos metadatos con las vulnerabilidades en el National Vulnerability Database (NVD) y en el Opens Sourced Vulnerability Database (OSVDB) con el fin de realizar un seguimiento de la decadencia de la vulnerabilidad en el tiempo y observar la rapidez de los usuarios a remiendar sus sistemas y, por tanto, su exposición a posibles ataques.Hemos identificado 3 factores que pueden influir en la actividad de parches de ordenadores victimas: código compartido, el tipo de usuario, exploits. Presentamos 2 nuevos ataques contra el código compartido y un análisis de cómo el conocimiento usuarios y la disponibilidad de exploit influyen en la actividad de aplicación de parches. Para las 80 vulnerabilidades en nuestra base de datos que afectan código compartido entre dos aplicaciones, el tiempo entre el parche libera en las diferentes aplicaciones es hasta 118 das (con una mediana de 11 das)En la segunda parte se proponen nuevas técnicas de sondeo activos para detectar y analizar las infraestructuras de servidores maliciosos. Aprovechamos técnicas de sondaje activo, para detectar servidores maliciosos en el internet.ii Empezamos con el análisis y la detección de operaciones de servidores explotadores. Como una operación identificamos los servidores que son controlados por las mismas personas y, posiblemente, participan en la misma campaa de infección. Hemos analizado un total de 500 servidores explotadores durante un perodo de 1 ao, donde 2/3 de las operaciones tenian un nico servidor y 1/2 por varios servidores.Hemos desarrollado la técnica para detectar servidores explotadores a diferentes tipologas de servidores, (por ejemplo, C & C, servidores de monetización, redirectores) y hemos logrado escala de Internet de sondeo para las distintas categoras de servidores maliciosos. Estas nuevas técnicas se han incorporado en una nueva herramienta llamada CyberProbe. Para detectar estos servidores hemos desarrollado una novedosa técnica llamada Adversarial Fingerprint Generation, que es una metodologa para generar un modelo nico de solicitud-respue...

show abstract

Guide to adopting and using the Security Content Automation Protocol (SCAP) version 1.0

Cited by 28 publications

References 0 publications

Comparing Vulnerability Severity and Exploits Using Case-Control Studies

Comparing Vulnerability Severity and Exploits Using Case-Control Studies

Estimating the Assessment Difficulty of CVSS Environmental Metrics: An Experiment

Defending against cybercrime: advances in the detection of malicious servers and the analysis of client-side vulnerabilities

Contact Info

Product

Resources

About