Misconfiguration Flashcards
What are the main factors which make secure configuration difficult?
Personal factors: lack of knowledge, lack of experience, other priorities
Environmental factors: Sole responsibility, insufficient Q/A, Time pressure
System factors: Usage of defaults, complexity of the system, legacy support
Also: imprecise laws!
What is the idea behind SCAP (Security Content Automation Protocol) and what are its main components?
Idea: standard to enable automated vulnerability management, measurement, and policy compliance evaluation
Components:
- Common Vulnerabilities and Exposures (CVE)
- Extensible Configuration Checklist Description Format (XCCDF)
- Open Vulnerability and Assessment Language (OVAL)
What is the idea behind the center for internet security (CIS)?
- publishes security configuration guides (CIS workbench)
- users can contribute to benchmarks by adding rules / changing rules
What are some open problems with security configuration?
- how to automate the process? some approaches: OpenSCAP (Linux), Scapolite (Windows)
- how to track differences between CIS guides and our policies