[Chinese]NIST推出通用配置打分系统CCSS草案
5月30日,NIST(美国技术标准局)推出了一个用于对安全配置进行打分的草案,其全称是:NIST IR-7502 DRAFT The Common Configuration Scoring System (CCSS) 。
CCSS是用于对有关软件安全配置问题(Issue)的特征和影响提供的一个标准测量集合。CCSS可以帮助企业组织在解决安全问题时做出正确的决定,另外,它还可以提供数据以便对主机的安全状况进行量化的评估。从体系上看,CCSS借鉴了CVSS,但是针对软件的安全配置问题做了特别调整(CVSS专注于软件缺陷和漏洞)。我们知道,一个软件系统的安全性,不仅仅是软件本身的安全问题,很大程度上还决定于安装、配置和运行管理。
据报道,NIST还计划扩展CCSS,将环境度量也包含进来。点击下载原文。
下面是在SecurityMetrics的邮件列表中William Bell的一个回复,很有趣:
Some things that came to mind while reading this early draft:
1.) Attempting to integrate environmental support and mitigating circumstances, like with the CVSS is going to be tricky. There are two sides to this issue. Not including this support, will render the metrics ineffective due to the high probability that some type of mitigating circumstances or configuration may exist. On the other side by allowing super customization of the metrics you could end up with dirty information that takes a long time to collect and assess.
2.) It is proposed that vendors create the base metrics for a specific product configuration. I am not so sure that this is the best idea as it most often run counter to the main objective of the creation entity ( aka. Selling the crap out of their operating system…ahem MS ). I would not be opposed to their participation in the creation of these base metrics, due to the knowledge they possess over the system being scored.
3.) In the area of access complexity I am not sure that requiring the attacking party to have elevated privileges would be considered a HIGH level condition for active exploitation. I imagine this should most probably be chucked in with requiring some user level access, as the pervasive use of administrator privileges in today’s world often leaves little distinction between the two.
4.) The whole section regarding authentication is a bit foolhardy. In my opinion deciding to disregard the complexity of the authentication is a copout. The author is effectively saying we are going to treat 2 username/password authentications and other methods of multi-factor authentications the same. I am sure we can all agree that they are not. I would propose that the Multiple(M) metric be reserved for two factor authentication only. ( I decided to just ignore this as it almost made me fall out of my chair .. “Exploiting the weakness requires that the exploiter authenticate two or more times, even if the same credentials are used each time” )
I haven’t had time to evaluate the scoring system as of yet. If anything jumps out, I’ll be sure to comment.