New CCSS (Common Configuration Scoring System) standard

Date : June 23, 2008

In our security bulletin of March 2007, we presented the various initiatives that exist regarding vulnerability naming: CVE, CME and CVSS at first (already adopted by the Cert-IST), but also OVAL, CPE and CWE.

In parallel to vulnerability management, other works concern the configuration of devices and the impact of this configuration on the security level of a system. The NIST (already initiator of many of these works) has in particular published a report describing the standard measures for security configuration issues. This report, which is up to now a "draft", is called "Common Configuration Scoring System" (CCSS).

In fact, operating systems and applications have different configuration settings that impact their security level (security configuration settings). CCSS aims at establishing a set of measures for security configuration issues and giving them a score. These CCSS scores, derived from the CVSS (Common Vulnerability Scoring System) standard, is designed for measuring the severity of a configuration issue.

Examples

In order to illustrate the use of CCSS, we are going to take two examples from the NIST document, coming from the CCE (Common Configuration Enumeration) standard.

We remind that the CVSS score computation uses the following acronyms :

AV : Access Vector
AC : Access Complexity
Au : Authentication
C : Confidentiality Impact
I : Integrity Impact
A : Availability Impact

CCE-4675-5: This security option affects the kernel level auditing on Solaris 10 systems. Here are the values obtained for this option:

Some event logged in kernel level auditing may be remotely triggered: AV:N
The access complexity is low because no action is needed: AC: L
No authentication is required to trigger the weakness : Au:N
The failure to log a kernel level event has a partial impact on the integrity and no impact on confidentiality or availability: C:N/I:P/A:N

The CCSS base score obtained is 5.0 - (AV:N/AC:L/Au:N/C:N/I:P/A:N).

CCE-3047-8: This security option regards the application management on Windows XP. This service may be enabled or disabled. If this service is disabled, but should be enabled, it prevents local users from installing and using new applications, which has a partial impact on availability. If this service is enabled, but should be disabled, it allows a local user to install or remove programs, which has a partial impact on integrity. In both cases, the weakness is exploitable locally, the access complexity is low and no authentication is required.

The CCSS base score obtained is 2.1 - (AV:L/AC:L/Au:N/C:N/I:N/A:P for the first case, AV:L/AC:L/Au:N/C:N/I:P/A:N for the second).

Nowadays, CCSS only deals with base security configuration issues, e. g. not linked to the temporal evolution and to the environment. The upcoming integration of these aspects should enable CCSS to be used in organizations to set up risk assessment processes and manage the security configuration of their systems.

The Cert-IST keeps on following carefully the evolution of these initiatives in order to evaluate the interest of their integration in its processes.

For more information:

NIST draft 7502:
http://csrc.nist.gov/publications/drafts/nistir-7502/Draft-NISTIR-7502.pdf
Article from the Cert-IST security bulletin (March 2007), called "Standards pour la gestion des vulnérabilités" (in French) : http://www.cert-ist.com/fra/ressources/Publications_ArticlesBulletins/Veilletechnologique/standards_gestion_vulnerabilites/