|
|||||
 |
 |
||||
| CCE Website is in "Archive" status — read the announcement | |||||
News and Events - 2007 ArchiveDecember 14, 2007 CCE List, Version 4.1 Now Available Version 4.1 of the CCE List is now available. The updated list contains new CCE Identifiers (CCE-IDs) created primarily for the U.S. National Institute of Standards and Technology's Security Content Automation Protocol (SCAP) content for the Federal Desktop Core Configuration (FDCC) for Microsoft Vista, and for the 2007 Microsoft Office Security Guide released by Microsoft on November 11, 2007. References for these two sources will be added at a later date. In addition, Version 5.0 of CCE List is in Draft Stage and posted for review in the Upcoming Version section of the CCE List page. Many of the configuration issues with a single CCE-ID in Version 4 will have multiple CCE-IDs in Version 5, one for each applicable platform group. Please send feedback on the current and/or upcoming versions of CCE to cce@mitre.org. December 6, 2007 CCE Version 5.0 in Draft Stage Version 5.0 of the CCE List is currently in the Draft stage. In Version 5 CCE Identifiers (CCE-IDs) will be assigned according to platform groups, which will allow CCE-IDs to be organized and created more efficiently. Many of the issues that are assigned a single CCE-ID in Version 4 will be assigned multiple CCE-IDs in Version 5, one for each applicable platform group. The platform groups for Version 5 include "Windows Vista," "Windows XP," "Windows 2000," "Windows Server," "Internet Explorer 7," and "Office 2007." MITRE will provide a clear migration plan for replacing Version 4.0 CCE-IDs with Version 5.0 CCE-IDs when Version 5 is finalized. Version 4.0 remains the official version of the CCE List. MITRE to Host "Making Security Measurable" Booth at 2008 Information Assurance Workshop, January 28 - February 1 MITRE is scheduled to host a Making Security Measurable exhibitor booth at the 2008 Information Assurance Workshop on January 28 - February 1, 2008 at the Philadelphia Marriott Downtown in Philadelphia, Pennsylvania, USA. The conference will expose the CCE, CVE,
CPE, CME,
CAPEC, CWE,
OVAL, and Making
Security Measurable efforts to information security professionals
from government and industry. Visit the CCE
Calendar for information on this and other events. November 20, 2007 CCE Identifiers Included in Microsoft Security Guide CCE Identifiers (CCE-IDs) are included in the 2007 Microsoft Office Security Guide posted on the Microsoft TechNet Web site on November 11, 2007. The purpose of the guide is to provide "IT professionals with best practices and automated tools to help strengthen the security of computers that run either Windows Vista or Windows XP SP2" and the following Microsoft Office applications: Access 2007, Excel 2007, InfoPath 2007, Outlook 2007, PowerPoint 2007, and Word 2007. CCE-IDs are included specifically in the "Threats and Countermeasures" and "Security Settings Spreadsheet" sections of the guide. The Threats and Countermeasures section is a "comprehensive technical reference that explains the security and privacy settings for the six referenced applications, their recommended configurations, and which threats they address. It also contains Common Configuration Enumeration (CCE) IDs for all the settings. CCE provides identifiers to system configurations to facilitate fast and accurate correlation of configuration data across multiple information sources and tools." The Security Settings Spreadsheet section "lists security settings for the six referenced applications and their recommended configurations for the EC and SSLF environments, as well as Common Configuration Enumeration (CCE) IDs for all the settings." November 8, 2007 CCE Mentioned in Article about SCAP in eWeek CCE was mentioned in an article entitled "SCAP Beta Will Boost Enterprise Compliance Efforts" in eWeek on August 1, 2007. The article describes how the U.S. National Institute of Standards and Technology's Security Content Automation Protocol (SCAP) "…could streamline the way civilian organizations enable automated vulnerability management." CCE is mentioned when the author states: "SCAP uses data feeds from the NVD (National Vulnerability Database), which is defined and maintained by the National Institute of Standards and Technology, better known as NIST. SCAP is an open standard, and the NVD is available license-free. SCAP uses information from six open standards, including CVE (Common Vulnerability and Exposures) and CCE (Common Configuration Enumeration ), both overseen by MITRE, along with data provided by the XCCDF (eXtensible Configuration Checklist Description Format), a standard XML expression for specifying checklists and reporting results from those checklists." CCE Mentioned in Product Releases Article in Processor Magazine CCE was mentioned in the "Product Releases" article in Processor Magazine on October 5, 2007. CCE is mentioned in the "Security" section of the article regarding Secure Elements' C5 Compliance Platform 3.3, which "…is the first product to work with NIST SCAP content to help federal government agencies meet the OMB Mandate. It also helps with compliance with NIST ISAP/SCAP initiative for auditing security configurations using OVAL, XCCDF, CPE, CVSS, CCE, and CVE." CCE Mentioned in Secure Elements Press Release CCE was mentioned in a September 18, 2007 news release from Secure Elements, Inc. entitled "Secure Elements Announces New Version of IT Audit and Compliance Platform." CCE is mentioned in the portion of the release that describes how Secure Elements' C5 Compliance Platform Version 3.3 adds enhanced NIST SCAP FISMA reporting: "For federal government agencies, C5 is the first enterprise solution that works directly with the NIST SCAP content to help them meet the OMB Mandate for secure desktop configurations as well as incorporating all of the latest standards as defined by the NIST ISAP/SCAP initiative for auditing security configurations utilizing OVAL, XCCDF, CPE, CVSS, CCE and CVE." October 3, 2007 CCE a Topic at Security Automation Conference 2007 CCE was included as a topic at the U.S. National Institute of Standards and Technology's (NIST) Security Automation Conference & Workshop 2007 on September 19-20, 2007 in Gaithersburg, Maryland, USA. NIST's Security Content Automation Protocol (SCAP) employs community standards to enable "automated vulnerability management, measurement, and policy compliance evaluation (e.g., FISMA compliance)," and CCE is one of the six open standards SCAP uses for enumerating, evaluating, and measuring the impact of software problems and reporting results. CCE was also a topic in MITRE's Making Security Measurable exhibitor booth during the exhibition portion of the event. The conference exposed the CCE, CVE, CPE, CME, CAPEC, CWE, OVAL, and Making Security Measurable efforts to information security professionals from government and industry. Visit the CCE Calendar for information on this and other events. September 12, 2007 CCE Included in Making Security Measurable Booth at Security Automation Conference 2007, September 19-20 MITRE will host a Making Security Measurable exhibitor booth at the U.S. National Institute of Standards and Technology's (NIST) Security Automation Conference & Workshop 2007 on 19-20, 2007 in Gaithersburg, Maryland, USA. CCE will also participate in discussion panels at the event on September 20th. NIST's Security Content Automation Protocol (SCAP) employs community standards to enable "automated vulnerability management, measurement, and policy compliance evaluation (e.g., FISMA compliance)," and CCE is one of the six open standards SCAP uses for enumerating, evaluating, and measuring the impact of software problems and reporting results. The other five standards are Open Vulnerability and Assessment Language (OVAL), a standard XML for security testing procedures and reporting; Common Configuration Enumeration (CVE), standard identifiers and a dictionary for system security configuration issues; Common Platform Enumeration (CPE), standard identifiers and a dictionary for platform and product naming; Extensible Configuration Checklist Description Format (XCCDF), a standard for specifying checklists and reporting results; and Common Vulnerability Scoring System (CVSS), a standard for conveying and scoring the impact of vulnerabilities. The conference will expose the CCE, CVE, CPE, CME, CAPEC, CWE, OVAL, and Making Security Measurable efforts to information security professionals from government and industry. Visit the CCE Calendar for information on this and other events. Photos of Booth at Black Hat Briefings 2007 MITRE hosted a CCE/Making Security Measurable exhibitor booth at Black Hat Briefings 2007 on August 1-2, 2007 at Caesars Palace in Las Vegas, Nevada, USA. See photos below:
Visit the CCE Calendar
page for information on this and other upcoming events. August 29, 2007 Common Configuration Enumeration (CCE) Launches New Web Site The CCE List is now available on this dedicated Common Configuration Enumeration (CCE) Web site. It was formally hosted on the CVE Web site. The new site includes the CCE List; an Editorial Policies page; an About section describing the overall CCE effort and process in more detail; News page; Calendar page; Community page; and a CCE Working Group page. CCE Included as Topic at Security Automation Conference & Workshop 2007, September 19-20 CCE will be included as a topic at the U.S. National Institute of Standards and Technology's (NIST) Security Automation Conference & Workshop 2007 on September 19-20, 2007 in Gaithersburg, Maryland, USA. In addition to contributing throughout the workshop, CCE will also participate on discussions panels on September 20th. NIST's Security Content Automation Protocol (SCAP) employs community standards to enable "automated vulnerability management, measurement, and policy compliance evaluation (e.g., FISMA compliance)," and CCE is one of the six open standards SCAP uses for enumerating, evaluating, and measuring the impact of software problems and reporting results. The other five standards are Common Vulnerabilities and Exposures (CVE), a dictionary of standard identifiers for security vulnerabilities related to software flaws; Open Vulnerability and Assessment Language (OVAL), a standard XML for security testing procedures and reporting; Common Platform Enumeration (CPE), standard identifiers and a dictionary for platform and product naming; Extensible Configuration Checklist Description Format (XCCDF), a standard for specifying checklists and reporting results; and Common Vulnerability Scoring System (CVSS), a standard for conveying and scoring the impact of vulnerabilities. Visit the CCE Calendar for information on this and other events. CCE Included in Booth at Black Hat Briefings 2007 MITRE hosted a Making Security Measurable exhibitor booth at Black Hat Briefings 2007 on August 1-2, 2007 at Caesars Palace in Las Vegas, Nevada, USA. The conference exposed the CCE, CVE, CME, CWE, CPE, OVAL, and Making Security Measurable efforts to a diverse audience of information security-focused attendees from around the world. Visit the CCE Calendar page for information on this and other upcoming events. July 22, 2007 CCE List, Version 4.0 Now Available Version 4.0 of the CCE List is now available. The updated draft focuses on security-related configuration issues for Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Internet Explorer 7, and Office 2007. CCE provides unique identifiers to system configurations in order to facilitate fast and accurate correlation of configuration data across multiple information sources and tools. As an example, CCE Identifiers could be used to associate checks in configuration assessment tools with statements in configuration best-practice documents such as the Center for Internet Security (CIS) benchmark documents. Participation by the information security community is an important element in the success of CCE. We encourage you or your organization to contribute by joining the CCE Working Group or by commenting on the current draft of the CCE List. Please send any feedback on the list or other comments to cce@mitre.org. CCE Mentioned in Article about Security Content Automation Protocol in Government Computer News CCE was mentioned in a May 22, 2007 article entitled "NIST releases FISMA security control tools" in Government Computer News. The main topic of the article is the U.S. National Institute of Standards and Technology's (NIST) Security Content Automation Protocol (SCAP), which according to the article is an "automated checklist that uses a collection of recognized standards for naming software flaws and configuration problems in specific products. It can help test for the presence of vulnerabilities and rank them according to severity of impact. The checklist files are mapped to NIST specifications for compliance with the Federal Information Security Management Act, so that the output can be used to document FISMA compliance." CCE is mentioned when the author states that "SCAP currently uses six open standards for enumerating, evaluating and measuring the impact of software problems and reporting the results," and includes CCE as follows: "Common Configuration Enumeration, CCE, from MITRE; standard identifiers and a dictionary for system security configuration issues." The other five standards are: Common Vulnerabilities and Exposures (CVE), a dictionary of standard identifiers for security vulnerabilities related to software flaws; Open Vulnerability and Assessment Language (OVAL), a standard XML for security testing procedures and reporting; Common Platform Enumeration (CPE), standard identifiers and a dictionary for platform and product naming; Extensible Configuration Checklist Description Format (XCCDF), a standard for specifying checklists and reporting results; and Common Vulnerability Scoring System (CVSS), a standard for conveying and scoring the impact of vulnerabilities. SCAP is an expansion of the U.S. National Vulnerability Database (NVD), which is based upon the CVE List. NVD also includes CCE Identifiers. March 29, 2007 CCE Co-Hosts Booth at InfoSec World 2007 MITRE hosted a Making Security Measurable exhibitor booth at InfoSec World 2007 Conference & Expo on March 19-21, 2007 at the Rosen Shingle Creek Resort in Orlando, Florida, USA. The conference exposed MITRE's CCE, CVE, CME, CWE, CPE, and OVAL efforts to a diverse audience of attendees from the banking, finance, real estate, insurance, and health care industries, among others. The conference itself is targeted to information security policy and decision makers from these and other industries, as well as directors and managers of information security, CIOs, network and systems security administrators, IT auditors, systems planners and analysts, systems administrators, software and application developers, engineers, systems integrators, strategic planners, and other information security professionals. Visit the CCE Calendar page for information on this and other upcoming events. CCE Co-Hosts Booth at OMG Software Assurance Workshop MITRE hosted a Making Security Measurable exhibitor booth about MITRE's CCE, CVE, CME, CWE, CPE, and OVAL efforts at the OMG Software Assurance Workshop on March 5-7, 2007 at the Hyatt Fair Lakes in Fairfax, Virginia, USA. Object Management Group (OMG) is an international, open membership, not-for-profit computer industry consortium. OMG's task forces "develop enterprise integration standards" for a wide range of technologies and industries and its modeling standards "enable powerful visual design, execution and maintenance of software and other processes." Visit the CCE Calendar page for information on this and other upcoming events. February 15, 2007 CCE Co-Hosts Booth at 2007 Information Assurance Workshop February 12-15 MITRE hosted a Making Security Measurable exhibitor booth at the 11th annual 2007 Information Assurance (IA) Workshop on February 12-15, 2007 at the Wyndham Orlando Resort, in Orlando, Florida, USA. The purpose of the workshop, which is hosted by the U.S. Defense Information Systems Agency (DISA) and National Security Agency (NSA), is to provide a forum in which the IA community can provide updates and work issues on relevant IA topics that have been aligned with the goals of Department of Defense (DOD) IA strategy. The event introduced MITRE's CCE, CVE, CME, CWE, CPE, and OVAL efforts to representatives of the DOD and other Federal Government employees and their sponsored contractors. Visit the CCE Calendar page for information on this and other upcoming events. CCE Co-Hosts Booth at RSA Conference 2007 MITRE hosted a Making Security Measurable exhibitor booth at RSA Conference 2007 on February 5-8, 2007 at the Moscone Center in San Francisco, California, USA. RSA Conference provides a forum for information security professionals and visionaries to "exchange and collaborate in a dynamic, authoritative setting." The event introduced MITRE's CCE, CVE, CME, CWE, CPE, and OVAL efforts to security professionals from industry, government, and academia from around the world. Visit the CCE Calendar page for information on this and other upcoming events. |
||||
