1 / 20

Security Advisories – Sources and examples

Security Advisories – Sources and examples. Presented by Srujan Baddam. Outline. Introduction Scorecard approach Goal-Question Metric (GQM) Technique Examples Conclusions. Introduction.

Télécharger la présentation

Security Advisories – Sources and examples

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Security Advisories – Sources and examples Presented by Srujan Baddam

  2. Outline • Introduction • Scorecard approach • Goal-Question Metric (GQM) Technique • Examples • Conclusions

  3. Introduction • Asecurity advisory is a formal message issued by a vendor or a third party to alert a product’s user community about security problems associated with the product and to provide information about how to avoid, minimize, or recover from any damage. • Vulnerability disclosure • Assigning security rating to security advisories • Security advisories don’t help user and system administrators effectively manage and assess the impact of vulnerability disclosures. • Here comes the scorecard approach.

  4. Scorecard Approach • The main goal is to help users and system administrators efficiently manage and assess the impact of vulnerability disclosures, which is based on the Goal-Question-Metric technique. • It is designed to let users record useful information and security response centers publish advisories in a way that will help the community respond more efficiently.

  5. The [un]readability of security bulletins

  6. The [un]readability of security bulletins (Contd..) • The survey of various security bulletin boards shows that each has a completely different view about what to publish, what information to include, and how to organize the data. • Similar values at the various bulletin boards for specific vendors have been recorded: an average of 45 for Cisco, 72 for Microsoft, and 44 for FreeBSD for each of the past three years. For general, non-vendor-specific informational postings, we recorded 37 advisories for CERT, 734 for Australian CERT (Aus Cert), 56 for Symantec, and 1,568 for CVE • The unexpectedly high difference between these numbers indicate that there is no clear rule on what is considered as a security advisory.

  7. A metrics-based scorecard • The vendor’s bulletin boards do not provide a practical guide on how to read, evaluate and handle a security advisory which can mislead the user communities. • The scorecard approach provides a solution for this problem by defining the series of metrics. • It contains 9 categories of metrics ,ordered by their evaluation sequence, and gives a complete picture of both the vulnerability and relevant risk.

  8. Metrics based Scorecard contd.. • Vulnerability’s target: • Logical • Physical • Applicability-scope • Exploitation preconditions • Organization factors • Exploitation impact • Community impact • Solution requirements • Solution impact • Conclusions impact

  9. Action sequence for handling security advisories

  10. A metrics-based scorecardcontd.. There are two phases in the metrics –based scorecard method 1.Assessment Phase 2.Implementation phase Assessment phase has the following metrics 1.Target Logical targets refer to informational and processing resources. Physical targets refer to hardware, to local area network infrastructure or to the entire Internet infrastructure. 2.Applicability scope: The applicability of a security advisory, depends on hardware type, OS, software installed and various configuration settings. It is usually clearly indicated in the text provided by the advisory.

  11. A metrics-based scorecardcontd.. 3.Expliotation preconditions The exploitation of a vulnerability is usually performed remotely, either location independently only within specific logical or physical limits, such as an Intranet logical area, a LAN or a switched LAN segment. In other cases the exploitation may succeed only by normally registered users or by physical access. 4.Organization factors. These factors may considerably mitigate the impact of a vulnerability, by providing the means for better information dissemination and response procedures.

  12. A metrics-based scorecardcontd.. 5.Exploitation Impact (Damage) • Exploitation Impact refers to the basic security properties, i.e. the availability, the integrity and the confidentiality of the information and the infrastructure. • Exploitation may also result to unauthorized action and system misuse, such as the code execution and the bypass of authentication and authorization controls. • In other cases the exploitation may provoke spreading to neighbor systems, erroneous transmission (e.g. network disruption, traffic redirection, transmission out-of-sequence) or physical damage.

  13. A metrics-based scorecardcontd.. 6. Community Impact Community Impact can be • Financial loss, i.e. direct theft, down-time cost or restoration cost • Loss of trust against the information system 7. Solution Requirements The solution requirements focus on: • The solution implementation, such as patching and configuring, according to the relevant security advisories • Additional protection measures may be required, such as the use of ACLs, an IDS, firewalls, cryptography, VPNs and antivirus applications

  14. A metrics-based scorecardcontd.. 8.Solution Impact The implementation of a proposed solution can have the following impacts: • Cost in terms of money, labor time, system availability and organization functionality • The time margin to take action and according to the severity of the impact it would be immediate, short-term or long-term. 9.Conclusions Impact The conclusions that will arise after the assessment and the implementation phases of a security advisory are either informational or indicating further action.

  15. Goal-Question Metric approach • A multidimensional framework for describing, implementing and managing strategy at all levels of an organization. • It is a common analysis tool in software engineering and quality management. • The GQM user sets an objective goal that can’t be directly interpreted, but rather is described by a series of questions. Each question is answered, in turn, by a series of metrics, which are either quantitative (obtain absolute values) or qualitative (answered by subjective judgments or comparable values).

  16. Goal-Question Metric approach (Contd..) • The goal has four parts: • An issue relates to a security parameter (such as the impact) • A reference object is the source of the analysis • A perspective establishes how to interpret the issue—in terms of its impact on a service, process, system • An intention determines how to evaluate or change the object’s parameter (assess, test)

  17. Example- http://www.microsoft.com/technet/security/bulletin/MS02-030.mspx

  18. Conclusions • A way to improve handling and reporting security advisories is proposed. • A homogenized and stable security advisory publication scheme (using a common XML format) can be evolved by the response centers and vendors.

  19. References • Arbaugh W., Fithen W., McHugh J., “Windows of Vulnerability: A Case Study Analysis”, IEEE Computer, Vol. 33, No. 12, pp. 52-59, 2000 • Gritzalis S., “Information Systems Security in Distributed Environments”, Ph.D. Thesis, National and Kapodistrian University of Athens, May 1998 • Lindqvist U. and Jonsson E., “How to Systematically Classify Computer Security Intrusions”, In Proceedings of the 1997 IEEE Symposium on Security & Privacy, pp.154-163, May 4-7, 1997. • Howard J., Longstaff T., “A Common Language for Computer Security Incidents”, Sandia International Laboratories, Report No. SAND98-8667, 1998 • Katsikas S., “Risk management of Information Systems”, In Kiountouzis E. (Ed.) Information Security: Technical, Legal and Social issues, EPY editions, Athens, 1995 • Venter H., Eloff J., “A taxonomy for information security technologies”, Computers & Security, Vol.22, No.4, pp.299-307, May 2003 • http://www.syros.aegean.gr/users/lekkas/cve200_scoring2.htm

  20. Thank you

More Related