SlideShare a Scribd company logo

Classification of vulnerabilities

Download as PPTX, PDF
Mayur Mehta
Mayur Mehta

The document discusses three standards used for classifying vulnerabilities: CVE, CWE, and CVSS. CVE provides identifiers for known vulnerabilities. CWE defines common weakness types. CVSS provides a scoring system to assess vulnerability severity levels. The Heartbleed bug is used as an example, which is identified by CVE-2014-0160, classified under CWE-200 for information exposure, and given a CVSS score of 6.4.

Related slideshows

Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
 
Cyber kill chain
Cyber kill chainCyber kill chain
Cyber kill chain
 
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
 
1 of 14
1 Classification of vulnerabilities Using CVE, CWE and CVSS 26/03/2015 Mayur Mehta
2 Index > Introduction > Building Blocks > Acronyms > Heartbleed bug example > CVE > CWE > CVSS > Main differences
3 Everything is Connected
4 Cyber Threats Emerged Over Time
5 Solutions Also Emerged Over Time
6 Architecting Security with Information Standards
7 Building Blocks > Enumerations : Standard ways for enumerating “things we care about” > Catalog the fundamental entities in IA, Cyber Security, and Software Assurance - Vulnerabilities (CVE), misconfigurations (CCE), software packages (CPE), malware (CME), attack patterns (CAPEC), weaknesses in code/design/architecture (CWE) > Languages/Formats: Languages/Formats for encoding/carrying high fidelity content about the “things we care about” > Support the creation of machine-readable state assertions, assessment results, and messages - Configuration/vulnerability/patch/asset patterns (XCCDF & OVAL), results from standards-based assessments (CRF), software security patterns (SBVR), event patterns (CEE), malware patterns (MAEC), risk of a vulnerability (CVSS), information messages (CAIF & *DEF) > Repositories: Repositories of this content for use in communities or individual organizations > Packages of assertions supporting a specific application - Vulnerability advisories & alerts, (US-CERT Advisories/IAVAs), configuration assessment (NIST Checklists, CIS Benchmarks, NSA Configuration Guides, DISA STIGS), asset inventory (NIST/DHS NVD), code assessment & certification (NIST SAMATE, DoD DIACAP & eMASS)
8 Acronyms Security Content Automation Protocol (SCAP)
9 Heartbleed bug example > Taking the Heartbleed bug as an example, this particular vulnerability is listed under a specific CVE identifier of CVE-2014-0160. It is also classified under the more general CWE-200: Information Exposure weakness. In addition, it has been given an CVSS Score of 6.4.
10 CVE The Common Vulnerabilities and Exposures (CVE) system provides a reference-method for publicly known information-security vulnerabilities and exposures. MITRE Corporation maintains the system, with funding from the National Cyber Security Division of the United States Department of Homeland Security.[1] CVE is used by the Security Content Automation Protocol, and CVE IDs are listed on MITRE's system[2] as well as the US National Vulnerability Database. Wiki link: http://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures Year wise data: http://www.cvedetails.com/browse-by-date.php
11 CWE Common Weakness Enumeration is a software community project that aims at creating a catalog of software weaknesses and vulnerabilities. The goal of the project is to better understand flaws in software and to create automated tools that can be used to identify, fix, and prevent those flaws.[1]The project is sponsored by Mitre Corporation. In order to obtain CWE Compatible status a product or a service must meet 4 out of 6 requirements, shown below: Wiki link: http://en.wikipedia.org/wiki/Common_Weakness_Enumeration MITRE database: http://cwe.mitre.org/data/slices/2000.html
12 CVSS Common Vulnerability Scoring System (CVSS) is a free and open industry standard for assessing the severity of computer system security vulnerabilities. It is under the custodianship of NIST.[1] It attempts to establish a measure of how much concern a vulnerability warrants, compared to other vulnerabilities, so efforts can be prioritized. The scores are based on a series of measurements (called metrics) based on expert assessment. The scores range from 0 to 10. Vulnerabilities with a base score in the range 7.0-10.0 are High, those in the range 4.0-6.9 as Medium, and 0-3.9 as Low. Versions: CVSSv1 – 2004, CVSSv2 – (the current version) launched in 2007, CVSSv3 – expected to be released in late 2015. The CVSS assessment measures three areas of concern: 1. Base Metrics for qualities intrinsic to a vulnerability 2. Temporal Metrics for characteristics that evolve over the lifetime of vulnerability 3. Environmental Metrics for vulnerabilities that depend on a particular implementation or environment Wiki link: http://en.wikipedia.org/wiki/CVSS Calculator: https://nvd.nist.gov/CVSS-v2-Calculator?vector=%28AV:L/AC:H/Au:N/C:N/I:P/A:C%29
13 Main differences > Main differences between the three standards CVE CWE CVSS Full Name Common Vulnerabilities and Exposures Common Weaknesses Enumeration Common Vulnerabilities Scoring System What is it? A dictionary of publicly known security vulnerabilities and exposures. A community-developed dictionary of software weakness types. A vendor-agnostic industry open- standard designed to convey vulnerability severity. Main Benefit Easier to share vulnerability data across different databases and tools. Different security tools can now “talk” to each other using a common language. Provides a standard measuring stick for software security. Helps determine urgency and priority of response when vulnerabilities are detected. Solution Provides a baseline for evaluating the coverage of an organization’s security tools. Provides a common baseline for weaknesses identification, mitigation and prevention efforts. Solves the problem of multiple incompatible scoring systems. More information http://cve.mitre.org/index.html https://cwe.mitre.org http://www.first.org/cvss
14

More Related Content

Classification of vulnerabilities

  • 1. 1 Classification of vulnerabilities Using CVE, CWE and CVSS 26/03/2015 Mayur Mehta
  • 2. 2 Index > Introduction > Building Blocks > Acronyms > Heartbleed bug example > CVE > CWE > CVSS > Main differences
  • 6. 6 Architecting Security with Information Standards
  • 7. 7 Building Blocks > Enumerations : Standard ways for enumerating “things we care about” > Catalog the fundamental entities in IA, Cyber Security, and Software Assurance - Vulnerabilities (CVE), misconfigurations (CCE), software packages (CPE), malware (CME), attack patterns (CAPEC), weaknesses in code/design/architecture (CWE) > Languages/Formats: Languages/Formats for encoding/carrying high fidelity content about the “things we care about” > Support the creation of machine-readable state assertions, assessment results, and messages - Configuration/vulnerability/patch/asset patterns (XCCDF & OVAL), results from standards-based assessments (CRF), software security patterns (SBVR), event patterns (CEE), malware patterns (MAEC), risk of a vulnerability (CVSS), information messages (CAIF & *DEF) > Repositories: Repositories of this content for use in communities or individual organizations > Packages of assertions supporting a specific application - Vulnerability advisories & alerts, (US-CERT Advisories/IAVAs), configuration assessment (NIST Checklists, CIS Benchmarks, NSA Configuration Guides, DISA STIGS), asset inventory (NIST/DHS NVD), code assessment & certification (NIST SAMATE, DoD DIACAP & eMASS)
  • 9. 9 Heartbleed bug example > Taking the Heartbleed bug as an example, this particular vulnerability is listed under a specific CVE identifier of CVE-2014-0160. It is also classified under the more general CWE-200: Information Exposure weakness. In addition, it has been given an CVSS Score of 6.4.
  • 10. 10 CVE The Common Vulnerabilities and Exposures (CVE) system provides a reference-method for publicly known information-security vulnerabilities and exposures. MITRE Corporation maintains the system, with funding from the National Cyber Security Division of the United States Department of Homeland Security.[1] CVE is used by the Security Content Automation Protocol, and CVE IDs are listed on MITRE's system[2] as well as the US National Vulnerability Database. Wiki link: http://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures Year wise data: http://www.cvedetails.com/browse-by-date.php
  • 11. 11 CWE Common Weakness Enumeration is a software community project that aims at creating a catalog of software weaknesses and vulnerabilities. The goal of the project is to better understand flaws in software and to create automated tools that can be used to identify, fix, and prevent those flaws.[1]The project is sponsored by Mitre Corporation. In order to obtain CWE Compatible status a product or a service must meet 4 out of 6 requirements, shown below: Wiki link: http://en.wikipedia.org/wiki/Common_Weakness_Enumeration MITRE database: http://cwe.mitre.org/data/slices/2000.html
  • 12. 12 CVSS Common Vulnerability Scoring System (CVSS) is a free and open industry standard for assessing the severity of computer system security vulnerabilities. It is under the custodianship of NIST.[1] It attempts to establish a measure of how much concern a vulnerability warrants, compared to other vulnerabilities, so efforts can be prioritized. The scores are based on a series of measurements (called metrics) based on expert assessment. The scores range from 0 to 10. Vulnerabilities with a base score in the range 7.0-10.0 are High, those in the range 4.0-6.9 as Medium, and 0-3.9 as Low. Versions: CVSSv1 – 2004, CVSSv2 – (the current version) launched in 2007, CVSSv3 – expected to be released in late 2015. The CVSS assessment measures three areas of concern: 1. Base Metrics for qualities intrinsic to a vulnerability 2. Temporal Metrics for characteristics that evolve over the lifetime of vulnerability 3. Environmental Metrics for vulnerabilities that depend on a particular implementation or environment Wiki link: http://en.wikipedia.org/wiki/CVSS Calculator: https://nvd.nist.gov/CVSS-v2-Calculator?vector=%28AV:L/AC:H/Au:N/C:N/I:P/A:C%29
  • 13. 13 Main differences > Main differences between the three standards CVE CWE CVSS Full Name Common Vulnerabilities and Exposures Common Weaknesses Enumeration Common Vulnerabilities Scoring System What is it? A dictionary of publicly known security vulnerabilities and exposures. A community-developed dictionary of software weakness types. A vendor-agnostic industry open- standard designed to convey vulnerability severity. Main Benefit Easier to share vulnerability data across different databases and tools. Different security tools can now “talk” to each other using a common language. Provides a standard measuring stick for software security. Helps determine urgency and priority of response when vulnerabilities are detected. Solution Provides a baseline for evaluating the coverage of an organization’s security tools. Provides a common baseline for weaknesses identification, mitigation and prevention efforts. Solves the problem of multiple incompatible scoring systems. More information http://cve.mitre.org/index.html https://cwe.mitre.org http://www.first.org/cvss
  • 14. 14