Help! I Need to Respond to All These Cisco IOS Software Vulnerabilities and I Cannot Scale!!!
No software is immune to security vulnerabilities. The time between the discovery and disclosure of security vulnerabilities and the availability of an exploit is getting shorter. This imposes pressures on network security professionals and information technology (IT) managers to quickly respond to security vulnerabilities or apply mitigation in their network. Many organizations are struggling to keep up-to-date with the constant release of new vulnerabilities and software fixes. At the same time, they are under pressure to provide near 100% availability of key business services and systems.
Note: Cisco has a very robust vulnerability management process. This process is described in detail at Cisco’s Security Vulnerability Policy. The Cisco Product Security Incident Response Team (PSIRT) manages the receipt, investigation, and public reporting of security vulnerability information that is related to Cisco products and networks.
As an example, every time Cisco discloses a security vulnerability for Cisco IOS Software (or any given product), network security administrators have to identify affected devices and (in numerous cases) upgrade such devices. These activities can take hours, days, or even weeks depending on the size of the organization. For instance large enterprises and organizations may have thousands of routers and switches that need to be assessed for the impact of any given vulnerability.
Most security and network administrators are seeking ways to leverage standards and available tools to reduce the complexity and time necessary to respond to security advisories, assess devices, and ensure compliance. All these challenges make it almost impossible for a security or network administrator to decide what changes are needed on endpoints or networking devices. Additionally, administrators must determine how to implement those changes quickly, correctly, and consistently.
The security community has struggled to make these tasks easier. The Security Content Automation Protocol (SCAP) was developed to address most of these challenges.
SCAP was created to provide a standardized solution for security automation. The SCAP mission is to maintain system security by ensuring security configuration best practices are implemented in the enterprise network, verifying the presence of patches, and maintaining complete visibility of the security posture of systems and the organization at all times.
The current SCAP specifications include the following:
- Open Vulnerability and Assessment Language (OVAL): OVAL is an international community standard to promote open and publicly available security content and to standardize the transfer of this information in security tools and services. More information about OVAL is available at http://oval.mitre.org.
- Extensible Configuration Checklist Description Format (XCCDF): XCCDF is a specification for a structured collection of security checklists and benchmarks. More information about XCCDF is available at http://scap.nist.gov/specifications/xccdf.
- Open Checklist Interactive Language (OCIL): OCIL is a framework for collecting and interpreting responses from questions offered to users. More information about OCIL is available at: http://scap.nist.gov/specifications/ocil.
- Asset Identification (AI): AI is a specification designed to quickly correlate different sets of information about enterprise computing assets. More information about AI is available at http://scap.nist.gov/specifications/ai.
- Asset Reporting Format (ARF): ARF is a specification that defines the transport format of information about enterprise assets and provides a standardized data model to streamline the reporting of such information. More information about ARF is available at http://scap.nist.gov/specifications/arf.
Note: Two emerging languages are Asset Summary Reporting (ASR) and the Open Checklist Reporting Language (OCRL). More information about ASR is available at http://scap.nist.gov/specifications/asr/, and more information about OCRL is available at http://ocrl.mitre.org/.
- Common Vulnerabilities and Exposures (CVE): CVE assigns identifiers to publicly known system vulnerabilities. Cisco assigns CVE identifiers to security vulnerabilities according to the Cisco public vulnerability policy. More information about CVE is available at http://cve.mitre.org.
- Common Platform Enumeration (CPE): CPE is a standardized method of naming and identifying classes of applications, operating systems, and hardware devices. More information about CPE is available at http://cpe.mitre.org.
- Common Configuration Enumeration (CCE): CCE provides unique identifiers for configuration guidance documents and best practices. The main goal of CCE is to enable organizations to perform fast and accurate correlation of configuration issues in enterprise systems. More information about CCE is available at http://cce.mitre.org.Note: Other community-developed enumerators, such as the Common Weakness Enumeration (CWE), are currently being expanded and further developed. CWE is a dictionary of common software architecture, design, code, or implementation weaknesses that could lead to security vulnerabilities. More information about CWE is available from http://cwe.mitre.org. Another emerging enumerator is the Common Remediation Enumeration (CRE). More information about CRE is available at http://scap.nist.gov/specifications/cre.
- Common Vulnerability Scoring System (CVSS): CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine the urgency and priority of response. Cisco provides a base and temporal CVSS score for each vulnerability that is disclosed via security advisories and other disclosure methods. Customers can compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has a FAQ regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html. Cisco has also provided a CVSS calculator to compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss.
More information about CVSS is available at http://www.first.org/cvss.
- Common Configuration Scoring System (CCSS): More information about CCSS is available in the following PDF document: http://csrc.nist.gov/publications/nistir/ir7502/nistir-7502_CCSS.pdf.
Note: Two emerging metrics specifications are the Common Weakness Scoring System (CWSS) and the Common Misuse Scoring System (CMSS). CWSS is a methodology for scoring software weaknesses. CWSS is part of CWE. More information about CWSS is available at http://cwe.mitre.org/cwss. CMSS is a standardized way to measure software feature misuse vulnerabilities. More information about CMSS is available at http://scap.nist.gov/emerging-specs/listing.html#cmss.
- Trust Model for Security Automation Data (TMSAD): TMSAD is a trust model to maintain integrity, authentication, and traceability of security automation data. More information about TMSAD is available in the following PDF document: http://csrc.nist.gov/publications/nistir/ir7802/NISTIR-7802.pdf.
Cisco’s New OVAL Support
Cisco is committed to protect customers by sharing critical, security-related information in different formats.
- Single point of control
- Reduction of risks due to human error
- Breadth of coverage
The following provides a simple example of how an administrator can use an OVAL scanner to connect to several Cisco IOS routers over SSH and check them for the presence of vulnerabilities, configuration issues, and installed software.
OVAL definitions are XML files that contain information about how to check a system for the presence of vulnerabilities, configuration issues, patches, installed applications, or other characteristics. For vulnerability checks, definitions are written to check for a vulnerability identified by a specific CVE identifier.
There are four main use cases, also called “classes,” of OVAL definitions:
- Vulnerability: Determine the presence of a vulnerability on the system being tested
- Compliance: Validate a device configuration against a known or approved valid configuration
- Inventory: Check for a specific software installed on the system
- Patches: Find a specific patch on the system
Downloading Cisco OVAL Content
OVAL content (often called “definitions”) can be downloaded directly from Cisco IOS Software security advisories. Each of these advisories includes a link to the corresponding OVAL definition(s). Currently only Cisco IOS Software is supported. Cisco is working with MITRE and the OVAL community to enhance and develop new schemata to better support Cisco IOS Software and possibly other Cisco products. OVAL enables interoperability between security and network management products from different vendors in different vertical markets, allowing them to quickly and automatically perform vulnerability and compliance assessment of network infrastructure and networking devices. Many vendors are working on integrating Cisco IOS Software schemata support into their products.
Please Provide Us Feedback and Comments!
Whether you are exploring security automation capabilities such as OVAL/SCAP; or have already implemented solutions that support OVAL/SCAP (or any other security automation standard or offering), please post your comments here or ask any questions.