CVE Applicability

Mark E. Haase — Mon, 17 Jun 2013 21:24:01 +0000

We rolled out some major upgrades to SCAP Sync this week! We will be highlighting its new capabilities in a series of upcoming blog posts. Our goal is to show you how you can use SCAP Sync in your day-to-day security work to improve productivity and automate tedious workflows.

The first new feature that we are covering is CVE Applicability. This new feature makes it easy for you to research whether an announced vulnerability affects you or your employer.

CVE Applicability

The National Vulnerability Database (NVD) is a fantastic research tool for understanding the specifics of a particular vulnerability: when was it announced, who announced it, what products does it affect, where I can learn more, etc. The NVD can be difficult to use and understand, however, which was one of the primary motivations behind the creation of SCAP Sync.

Let us look at an example. Security researchers at Google recently announced a vulnerability in Adobe Flash Player called CVE-2013-3343. Assume that I work for the security team of an organization. What does this CVE mean for me and my employer? Are we affected? What is our exposure and risk?

Let us compare and contrast the NVD and SCAP Sync by trying to answer this seemingly simple set of questions. We begin by looking up this CVE number on both the NVD and SCAP Sync.

The visual design of SCAP Sync focuses on simplicity and readability, making the most important information immediately accessible to you, the user.

This particularly vulnerability is very severe: it scores a 10 out of 10! The NVD does not tell us why this vulnerability is so severe, but if we look at SCAP Sync, we can see that the vulnerability can be exploited over a network with a low complexity attack, and it completely compromises confidentiality, integrity, and availability. Yikes!

The next logical question is: is this CVE applicable to myself or my employer? Let us first try to answer this question by using the NVD. If we scroll down the page on the NVD, we find a section titled “vulnerable software and versions”.

The NVD contains thousands of rows of data about what products are affected by this vulnerability. A screenshot does not do justice to the amount of data involved here. If you were to print this data, it would require 15 sheets of 8.5 x 11 paper!

To complicate matters further, this complex vulnerability doesn’t just affect specific products, it affects specific combinations of products. Therefore, within this 15 pages of data, the NVD encodes a set of boolean conditions that express which combinations of products are affected by this vulnerability.

Exercise for the reader: look at this NVD data and determine if the computer you are currently using is affected by this vulnerability or not. I won’t blame you if you give up quickly – it’s really complicated and tedious! There has to be a better way… right?

Let’s look at SCAP Sync again. If we scroll down the page, we find a section titled “vulnerable products“.

When you view a CVE with complicated applicability rules, SCAP Sync hides that complex data and instead offers to help guide you through the process of answering the question, “am I affected by this vulnerability?”

SCAP Sync guides you through this process by asking you a series of yes/no questions about what kinds of OS and software applications you are using. Under the hood, SCAP Sync is using that same, complex data from the NVD to determine what questions to ask and how to interpret your answers. In doing so, we make it much easier and faster for you to figure out your exposure to this vulnerability.

At the end of this series of questions, SCAP Sync unambiguously tells you if you are vulnerable to this CVE or not.

Conclusion

At Lunarline, we are huge fans of automation in cyber security, and therefore we think that SCAP is an awesome idea. At the same time, SCAP is not widely used by most security practitioners in their day-to-day work, whether they be CISOs, security analysts, SOC engineers, or sysadmins. We see a huge need to make SCAP more useful and relevant to the average security practitioner.

This CVE applicability feature is one small but important step in that direction. We hope you agree! If you have feedback, please leave a comment below.

SCAP Content Feed

Mark E. Haase — Mon, 01 Oct 2012 16:12:43 +0000

Over the weekend, Lunarline rolled out several new features to SCAP Sync. In this post, I am going to point out three of my favorite new features: it is easier to use, it has a feed for monitoring updated SCAP content, and it has version history for SCAP Content.

By the way, if you are going to be at the ITSAC conference in Baltimore this week, please come say hello! We are speaking about SCAP Sync from 2:30 – 3:00 on Wednesday, October 3rd in Room 344. We also have a booth for the duration of the conference. Our booth is #19, which is along the left wall as you enter the exhibitors’ hall.

Easier To Use

One of our primary motivations for building SCAP Sync was to simplify and demystify SCAP for the average security practitioner. Therefore, we have tried to eliminate reliance on specialized SCAP terminology and use more general IT terminology throughout. For example, instead of using the terms CVE and CWE, we now use the terms Vulnerability and Weakness. This change is very obvious on our search screen, where the filters and results use this simplified terminology.

Simplified Search Results

In addition to simplified terminology, we have also included new online help that describes how to use the search engine and provides some examples of useful types of activities that can be done with SCAP Sync.

Built-in help for searching and using SCAP Sync.

You can click on the “Search” button next to any of the examples to actually run that search and see the results. We will continue to add and enhance the help documentation on SCAP Sync, because we view this as a critical step towards making SCAP easier to understand and use.

SCAP Content Update Feed

The next feature is really exciting – and nobody else is doing this!

One of the original motivations for creating SCAP Sync was to provide access to the freshest SCAP content. Therefore, SCAP Sync now includes a daily feed for new and updated SCAP Content. The daily feed lets you keep track of when changes are introduced to SCAP content. For example, you can stay current on new vulnerability disclosures released by NIST, new products added to the CPE dictionary, etc.

Daily Update Feed

In addition to viewing this information on the web, you can also view this feed using an RSS client such as Google Reader.

Viewing the feed in an RSS client.

We think this is a really cool new feature, and we are offering this service for free on SCAP Sync, starting today!

Version History

Although we released SCAP Sync to the public on August 3rd, our crawler had already been quietly running since July 12th. Each day, the crawler checked for updated content that was published by NIST or MITRE. Whenever the crawler discovered a modified piece of content, instead of overwriting the old version with the new version, the crawler actually kept both versions in its database.

When we first launched, we enabled users to view the most recent version of each piece of SCAP content, and we kept the older versions hidden away. Starting today, we are making all of those older versions available to view on SCAP Sync. If a piece of SCAP content has older versions available, that will be indicated near the top of the screen.

A vulnerability that has version history.

Clicking on this link will bring up the version history for this piece of content. The version history shows the date and time that our crawler noticed the change. You can click on any previous version to view it. (View an example.)

Version history for CVE-2012-1467.

You can also compare two versions side by side. This side-by-side comparison feature is targeted at advanced users: if you are familiar with Wikipedia’s version history for articles or you are a programmer, then you will feel right at home with SCAP Sync’s version history. The side-by-side view compares the raw, XML format of SCAP content. This view makes it easy to highlight the differences between two versions. For example, we can see when NIST updates the vulnerability score for a vulnerability or adds additional references.

Conclusion

In addition to these 3 new features, we have also made numerous subtle tweaks in order to make SCAP Sync easy, fast, and elegant. Please try it out and let us know what you think by leaving a comment below!

Announcing SCAP Sync

Mark E. Haase — Fri, 03 Aug 2012 13:48:35 +0000

We are proud to announce that SCAP Sync (http://scapsync.com) is now live! SCAP Sync is a search engine and content repository for SCAP. Lunarline is offering this as a free service, starting today.

SCAP Sync crawls SCAP content from multiple original sources (including NIST and MITRE) then syndicates that content in several convenient formats for both security practitioners as well as application developers who are looking to use SCAP content in their own applications.

Security Practitioners

For security practitioners, SCAP Sync provides a central location to search and view SCAP content in a user-friendly format. You don’t need to know technical details like XML or CVSS – we handle all of that stuff for you. Our goal is to demystify SCAP content and to make it more relevant and useful for the average security practitioner.

This is best illustrated with a hypothetical example… Let’s say you’re conducting a security assessment for a Voice-Over-IP deployment, and you want to evaluate potential risks associated with a specific VOIP product. You go to SCAP Sync and you type in the name of a VOIP product, then click Search.

SCAP Sync Home Page

In the search results, you can see a lot of results labeled with CPE: Common Platform Enumeration. CPEs represent specific hardware and software products, which is not really what we’re interested in.

Search Results

To focus the search on vulnerabilities, click the CVE option under Filters. This will refine the search to show vulnerabilities only. If you’re interested in the most critical vulnerabilities, then try clicking on the 8-10 option under “CVSS Base Score”.

Search Results With Filters Applied

To view details of a vulnerability, just click on it.

Details Of A Specific Vulnerability

NIST publishes CVE content in XML format, but SCAP Sync syndicates this information in a more human-friendly format. (If you want to see the original XML format, click on the XML button in the top right corner of the page.) For example, SCAP Sync reformats the CVSS (Common Vulnerability Scoring System) data so that you can easily see how this vulnerability impacts confidentiality, integrity, and availability.

This is just a quick example, but we think there are lots and lots of uses for having a single, centralized, searchable repository of SCAP content!

Application Developers

In addition to making SCAP content more useful for security practitioners, we also intend to make SCAP content more useful for application developers. SCAP Sync is being launched with a full REST API so that you can get SCAP data into your own applications quickly and easily.

The current API is pretty basic, but nonetheless it provides a valuable service that is unavailable anywhere else: the ability to retrieve any single piece of SCAP content in machine-readable format.

Let’s look at another example. CCE-14300-8 is a piece of content in the Common Configuration Enumeration, which is a SCAP standard that lists many possible security configuration items. This particular element is a configuration that states that password hashes should be stored in /etc/shadow instead of /etc/passwd.

If you wanted to get this one piece of content – and only this piece of content – you would need to download the full 10.6 MB CCE List from Mitre, load the entire file into memory, parse it, and then traverse the DOM tree looking for the element CCE-14300-8. Depending on your network speed, CPU, and IO, this might take 5-10 minutes, just to get a single record that is under 800 bytes!

Even if you did go through all of this effort to get this one record, Mitre may update the CCE list tomorrow, and there is no way to tell if that update contains any changes specific to CCE-14300-8 without downloading the whole file all over again, parsing it all over again, etc.

With SCAP Sync, you can just load this piece of content directly in a matter of seconds, and rest assured that you’re always getting the latest version of that content. We do all of the heavy lifting so that you can focus on your application.

Next Steps

SCAP Sync is launching today with support for CCE (configuration data), CPE (product data), CVE (vulnerability data), and CWE (weakness data). We are continuing to work on SCAP Sync to offer more types of content and more ways of viewing and using that content.

We are also soliciting feedback from the security community. What features would you like to see in an ideal SCAP search engine and/or repository? What types of additional SCAP content would you like to see? Please contact us by leaving a comment on this post or by e-mailing me directly at mark.haase@lunarline.com.

Out With the DIACAP, In With the DIARMF?

Dr. Julie E. Mehan — Mon, 27 Feb 2012 16:33:50 +0000

We haven’t posted on DoD’s pending transition from the DoD Information Assurance Certification & Accreditation Process (DIACAP) to what is called – at least for now – the DoD IA Risk Management Framework (RMF). Now, after reading the articles by noted security experts Len Marzigliano and Richard Bejtlich, it’s time to take a look at what this transition might really mean for DoD and its supporting contractors.

For those of us who have been around a while, we remember the emergence of the DoD Information Technology C&A Process (DITSCAP) and the somewhat reluctant transition from that C&A process to the DIACAP in 2007/2008. We watched while the DIACAP, which was intended to be a standardized process that would be applied consistently across the entire DoD to support reciprocity and cost savings, was subjected to modification and interpretation by each of the services. The result – standardization and consistency flew out the window and the DoD was back to incompatible, non-standardized processes and the inability (and perhaps unwillingness) to support full reciprocity across the DoD. In the end, despite all of the best intentions of the DoD authors of the DIACAP, it became yet another resource-intensive, paperwork centric process. But, 5 years into the transition and some of the wrinkles are getting sorted out.

And now, DoD wants to change yet again? Whoa, and we are just getting used to the DIAC AP!

So, why now, and why the RMF? It all goes back five years or so ago to a series of discussions hosted by then Director of National Intelligence, Hon. Dale Meyerrose, along with the DoD CIO, Hon. John Grimes. The goal of their conversations was to jointly find solutions to long-standing problems relating to the extensive resources the IC and DoD historically expend for C&A, ensure that C&As accomplished by one agency would be valid for all agencies, and to deliver systems to the customer faster. Concurrently, the National Institute of Standards and Technology (NIST) was working on a revision of the C&A processes used for Federal Information Systems. And then it dawned….. why not work together across the Federal government to create a single process that would be applicable across the entire Federal government to include the DoD and Intelligence Community (IC)?

The result is the NIST RMF and the IC and DoD have agreed to adopt this standard as their own – with some minor modifications, of course. Stay tuned for our next posting where we will continue this journey.

Lunarline is on the front lines of this new transition. Please be sure to take a look at our White Paper at http://lunarline.com/Services/Whitepapers.aspx. With our extensive experience in applying the NIST RMF, our participation in Federal, DoD and IC C&A transition working groups, and our NSA/CNSS certified training in this process, we can support you today and help prepare you for tomorrow.

FCD-1 Revision 1

Bob Cohen — Thu, 08 Dec 2011 12:52:37 +0000

I had an opportunity to review the draft of the upcoming revision 1 to Federal Continuity Directive 1 (FCD-1). I had several issues with it. It talks about about “establishing contingency plans for the performance of essential functions.” Unfortunately this contradicts SP 800-34 which says “An Information System Contingency Plan (ISCP) Provides procedures and capabilities for recovery an information system.”

Just to clarify - Until this draft, the government has used the term “contingency plan” to denote the policies and procedures for the recovery of a single system. “COOP Plan” has been used as the policies and procedures for recovering Primary Mission Essential Functions (PMEFs) and Mission Essential Functions (MEFs).

There are several other instances where the drafters of this revision crossed terms as used in other publications, particularly the NIST Special Publications. I’d like to see more consistency across publications to reduce confusion.COOP, Contingency Plan, Continuity, FCD, Recovery, Disaster Recovery

Cyber Security Company Lunarline Ranked as One of America’s Fastest Growing Companies

Carolyn Morse — Tue, 06 Sep 2011 20:39:06 +0000

For the second year in a row, Lunarline, Inc. is named to the Inc. 500|5000 list, jumping 366 spots to rank No. 1846. This is the fifth year Inc. magazine has compiled their exclusive list of the nation’s fastest growing private companies. The list represents the most comprehensive look at the most important segment of the economy—America’s independent entrepreneurs.

Lunarline Announces Upcoming Launch of the School of Cyber Security at FOSE Conference

Melissa Dawson — Tue, 12 Jul 2011 17:26:56 +0000

The FOSE Conference and Exposition serves as a forum for bridging ideas and innovations between the public and private sector—and provides a forward-looking view of upcoming federal IT initiatives. The event will be held at the Walter E. Washington Convention Center from July 19-21. Lunarline, Inc. will be an exhibitor at booth #212 with some new and exciting offerings!

Lunarline has proven expertise in cyber security and privacy solutions, specialized information assurance services, and Next-Generation infrastructure strategies. Lunarline will be available to discuss ways that new tools and approaches are improving enterprise-wide and federated decision making and security.

Lunarline will also provide information on their upcoming School of Cyber Security (SCS) launch. The SCS is dedicated to providing excellence in cybersecurity training and certifications.

Lunarline Teams with Booz Allen Hamilton on TIPSS-4 ITS Win

Bobbie Lawson — Wed, 29 Jun 2011 18:16:21 +0000

Lunarline partnered with Booz Allen Hamilton in a winning bid for an IT services-related suite of indefinite-delivery, indefinite-quantity (ID/IQ) contracts, called TIPSS-4 ITS. These contracts are the primary procurement vehicles for technology-related services within the Internal Revenue Service and other Treasury bureaus. The TIPSS-4 contract has a 10-year period of performance (one base-year and nine one-year options).

U.S. Cyber Command Conference

Melissa Dawson — Wed, 08 Jun 2011 15:48:42 +0000

I’m excited to be attending the U.S. Cyber Command Conference two weeks from today! Let me know if you’re going to be there and we can coordinate a time to meet.

We recently released an article about Lunarline’s involvement in the event. You can read more about it here.

Lunarline Announces Participation in FAA HQ Cyber Security Awareness Day

Melissa Dawson — Tue, 07 Jun 2011 18:46:30 +0000

Lunarline, Inc. will be an exhibitor at the FAA HQ Cyber Security Awareness Day on June 23, 2011 in Washington, DC. The on-site expo is part of the FAA’s Annual Cyber Security Awareness Training and showcases cyber security best practices and technology.