No software is immune to security vulnerabilities. The time between the discovery and disclosure of security vulnerabilities and the availability of an exploit is getting shorter. This imposes pressures on network security professionals and information technology (IT) managers to quickly respond to security vulnerabilities or apply mitigation in their network. Many organizations are struggling to keep up-to-date with the constant release of new vulnerabilities and software fixes. At the same time, they are under pressure to provide near 100% availability of key business services and systems.
Note: Cisco has a very robust vulnerability management process. This process is described in detail at Cisco’s Security Vulnerability Policy. The Cisco Product Security Incident Response Team (PSIRT) manages the receipt, investigation, and public reporting of security vulnerability information that is related to Cisco products and networks.
As an example, every time Cisco discloses a security vulnerability for Cisco IOS Software (or any given product), network security administrators have to identify affected devices and (in numerous cases) upgrade such devices. These activities can take hours, days, or even weeks depending on the size of the organization. For instance large enterprises and organizations may have thousands of routers and switches that need to be assessed for the impact of any given vulnerability.
Most security and network administrators are seeking ways to leverage standards and available tools to reduce the complexity and time necessary to respond to security advisories, assess devices, and ensure compliance. All these challenges make it almost impossible for a security or network administrator to decide what changes are needed on endpoints or networking devices. Additionally, administrators must determine how to implement those changes quickly, correctly, and consistently.
The security community has struggled to make these tasks easier. The Security Content Automation Protocol (SCAP) was developed to address most of these challenges.
SCAP was created to provide a standardized solution for security automation. The SCAP mission is to maintain system security by ensuring security configuration best practices are implemented in the enterprise network, verifying the presence of patches, and maintaining complete visibility of the security posture of systems and the organization at all times.
The current SCAP specifications include the following:
Cisco is committed to protect customers by sharing critical, security-related information in different formats.As you may remember in a recent blog post, Automating Cisco IOS Vulnerability Assessment, the Cisco PSIRT is including OVAL definitions in Cisco IOS security advisories.The following are some of the major benefits that OVAL offers:
The following provides a simple example of how an administrator can use an OVAL scanner to connect to several Cisco IOS routers over SSH and check them for the presence of vulnerabilities, configuration issues, and installed software.
http://csio.cisco.com/blog/wp-content/uploads/2012/10/auto-oval-03-oval-scanner.jpgAssessment of Cisco IOS Devices Using OVAL
OVAL definitions are XML files that contain information about how to check a system for the presence of vulnerabilities, configuration issues, patches, installed applications, or other characteristics. For vulnerability checks, definitions are written to check for a vulnerability identified by a specific CVE identifier.
There are four main use cases, also called “classes,” of OVAL definitions:
OVAL content (often called “definitions”) can be downloaded directly from Cisco IOS Software security advisories. Each of these advisories includes a link to the corresponding OVAL definition(s). Currently only Cisco IOS Software is supported. Cisco is working with MITRE and the OVAL community to enhance and develop new schemata to better support Cisco IOS Software and possibly other Cisco products. OVAL enables interoperability between security and network management products from different vendors in different vertical markets, allowing them to quickly and automatically perform vulnerability and compliance assessment of network infrastructure and networking devices. Many vendors are working on integrating Cisco IOS Software schemata support into their products.
Whether you are exploring security automation capabilities such as OVAL/SCAP; or have already implemented solutions that support OVAL/SCAP (or any other security automation standard or offering), please post your comments here or ask any questions.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.