The Common Configuration Scoring System - NIST Draft

June 12th, 2008 Drazen Drazic Posted in Industry Specialists Talk, Research, Risk Management, Vulnerability Management, cyber crime |

By Donal O Duibhir

Donal looks at “The Common Configuration Scoring System” draft from NIST:

http://csrc.nist.gov/publications/drafts/nistir-7502/Draft-NISTIR-7502.pdf

Initial thoughts: It would be nice to see CCSS as an output metric generated by the tools here: http://www.cisecurity.org/index.html, but further investigation leads me to believe the initiative hasn’t been
as well thought through as CVSSv2 or the OSSTMM Risk Assessment Values here: http://www.isecom.org/research/ravs.shtml perhaps.

Basically:

- CVSS more objective/defined, distinct vector/criteria and is usually applicable to an atomic entity with default configuration/service.

- CCSS plays in a much greater sample space, with permutations/combinations/complexity perhaps too large, really requires environmental dependencies and values to be calculated.. and is harder to actually define as an overall concept.

Is the metric actually useful?

“Are we dealing with ‘best practice’ vs ‘default config’ in whose environment? Are we focusing on an end goal of sub-component or system security?”

When taking in to consideration transitive trust and unique business/technical requirements does this not invalidate someone elses recommendations somewhat?

More fun questions:
- How would one combine or aggregate CCSS scores across all nodes in an enterprise to gain an understanding of an organisation wide security posture?

- Rather than have a tool run locally on a device, how can one independently verify the absence or presence of a configuration option and how long would it be valid?
- Would this be performed upon live devices or CMDBs?
- What is a ‘configuration issue’ per se, moreso what are ’security configuration issues that are constant over time and environments’?
- What exactly is the value really telling me and does it allow me to
compare my footprint to other enterprises?”

Tell you what, give me a static environment and I’ll give you the world!

Time for IT to join the http://www.slowmovement.com/, take a step back.. stop spending other peoples money on increasing complexity and focus on delivery of simple, measurable services that are as stable as
possible on the smallest management footprint possible. Amen.

Donal

Leave a Reply