|
|||||
 |
 |
||||
| CCE Website is in "Archive" status — read the announcement | |||||
News & Events — 2009 ArchiveOctober 1, 2009 CCE/Making Security Measurable Booth at IT Security Automation Conference 2009, October 26-29 MITRE is scheduled to host a Making Security Measurable booth and present a Making Security Measurable briefing at the U.S. National Institute of Standards and Technology’s (NIST) 5th Annual IT Security Automation Conference on October 26-29, 2009 in Baltimore, Maryland, USA. The CCE Team is also scheduled to contribute to the CCE-related workshops. NIST’s Security Content Automation Protocol (SCAP) employs existing community standards to enable "automated vulnerability management, measurement, and policy compliance evaluation (e.g., FISMA compliance)," and CCE is one of the six open standards SCAP uses for enumerating, evaluating, and measuring the impact of software problems and reporting results. The other five standards are Common Vulnerabilities and Exposures (CVE), a dictionary of standard identifiers for security vulnerabilities related to software flaws; Open Vulnerability and Assessment Language (OVAL), a standard XML for security testing procedures and reporting; Common Platform Enumeration (CPE), standard identifiers and a dictionary for platform and product naming; Extensible Configuration Checklist Description Format (XCCDF), a standard for specifying checklists and reporting results; and Common Vulnerability Scoring System (CVSS), a standard for conveying and scoring the impact of vulnerabilities. Visit the CCE Calendar for information on this and other events. Making Security Measurable Main Topic of Article in CrossTalk, The Journal of Defense Engineering An article entitled "Making Security Measurable and Manageable" by CCE Team Member and CWE/CAPEC Program Manager Robert A. Martin was published in the September/October 2009 issue of CrossTalk, The Journal of Defense Engineering. The article explains how measurable security and automation can be achieved by having government and public efforts address the creation, adoption, operation, and sustainment of their information security infrastructures in a holistic manner and by using common, standardized concepts to define the data (CVE, CCE, CPE, CAPEC, CWE, etc.), communicating this information through standardized languages (OVAL, XCCDF, CEE, etc.), sharing the information in standardized ways (OVAL Repository, NVD, etc.), and adopting tools and services that adhere to these standards. September 2, 2009 CCE Included as Topic at IT Security Automation Conference 2009, October 26-29 CCE will be included as a topic at the U.S. National Institute of Standards and Technology’s (NIST) 5th Annual IT Security Automation Conference on October 26-29, 2008 in Baltimore, Maryland, USA. The CCE Team is also scheduled to contribute to the CCE-related workshops. NIST’s Security Content Automation Protocol (SCAP) employs existing community standards to enable "automated vulnerability management, measurement, and policy compliance evaluation (e.g., FISMA compliance)," and CCE is one of the six open standards SCAP uses for enumerating, evaluating, and measuring the impact of software problems and reporting results. The other five standards are Common Vulnerabilities and Exposures (CVE), a dictionary of standard identifiers for security vulnerabilities related to software flaws; Open Vulnerability and Assessment Language (OVAL), a standard XML for security testing procedures and reporting; Common Platform Enumeration (CPE), standard identifiers and a dictionary for platform and product naming; Extensible Configuration Checklist Description Format (XCCDF), a standard for specifying checklists and reporting results; and Common Vulnerability Scoring System (CVSS), a standard for conveying and scoring the impact of vulnerabilities. Visit the CCE Calendar for information on this and other events. Making Security Measurable Briefing at GFIRST5: The 5 Pillars of Cyber Security, August 24-28 CCE Team Member and CWE/CAPEC Program Manager Robert A. Martin presented a briefing about Making Security Measurable at GFIRST5: The 5 Pillars of Cyber Security on August 24-28, 2009 at Atlanta, Georgia, USA. Visit the CCE Calendar for information on this and other events. August 5, 2009 Instruction on Using CCE Included in MITRE’s Free Benchmark Development Course, September 15-16 MITRE is scheduled to hold a Free Benchmark Development Course at MITRE Corporation in McLean, Virginia, USA on September 15-16, 2009. The instruction on using CCE Identifiers in benchmark development is included in a section of the course entitled "Map Guidance to Existing Control Standards." The course explains the overall benefits of using CCE for fast and accurate correlation of common system configuration issues by different groups of people, between different tools, and across repositories; provides an example of a CCE Identifier and the information it includes; and teaches how to map to CCE Identifiers in benchmarks. The main purpose of the course is to share MITRE’s experience and knowledge with vendors, security content developers, and others on how to use industry standards and free tools to create automatable security guidance that helps system administrators configure and operate systems securely. In addition to instruction on how to use CCE, the course also explains how and why to use Extensible Configuration Checklist Description Format (XCCDF), Open Checklist Interactive Language (OCIL), Common Platform Enumeration (CPE), Open Vulnerability and Assessment Language (OVAL) Definitions, the OVAL Interpreter, Benchmark Editor, and Recommendation Tracker, among other standards and tools, to create good benchmarks that can be automated. Visit the CCE Calendar for information on this and other events. MITRE Hosts ‘Making Security Measurable’ Booth at Black Hat Briefings 2009 CCE participated in a Making Security Measurable booth at Black Hat Briefings 2009 on July 29-30, 2009 at Caesars Palace Las Vegas in Las Vegas, Nevada, USA. Attendees learned how information security data standards facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures. See photos below:
Visit the CCE Calendar for information on this and other events. July 22, 2009 Photos from MITRE’s Security Automation Developer Days 2009 MITRE hosted the first-ever Security Content Developer Days 2009 on June 8-12, 2009, at MITRE in Bedford, Massachusetts, USA. This free five-day conference was technical in nature and focus on the U.S. National Institute of Standards and Technology’s (NIST) Security Content Automation Protocol (SCAP). See event photos: 
For additional information visit the Developer Days page on the Making Security Measurable Web site. July 1, 2009 CCE Scheduled to Participate in ‘Making Security Measurable’ Booth at Black Hat Briefings 2009 on July 29-30 CCE is scheduled to participate in a Making Security Measurable booth at Black Hat Briefings 2009 on July 29-30, 2009 at Caesars Palace Las Vegas in Las Vegas, Nevada, USA. Stop by Booth 70 and learn how information security data standards facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures. Visit the CCE Calendar for information on this and other events. Instruction on Using CCE Included in MITRE’s Free Benchmark Development Course, July 14-15 MITRE is scheduled to hold a Free Benchmark Development Course at MITRE Corporation in McLean, Virginia, USA on July 14-15, 2009. The instruction on using CCE Identifiers in benchmark development is included in a section of the course entitled "Map Guidance to Existing Control Standards." The course explains the overall benefits of using CCE for fast and accurate correlation of common system configuration issues by different groups of people, between different tools, and across repositories; provides an example of a CCE Identifier and the information it includes; and teaches how to map to CCE Identifiers in benchmarks. The main purpose of the course is to share MITRE’s experience and knowledge with vendors, security content developers, and others on how to use industry standards and free tools to create automatable security guidance that helps system administrators configure and operate systems securely. In addition to instruction on how to use CCE, the course also explains how and why to use Extensible Configuration Checklist Description Format (XCCDF), Open Checklist Interactive Language (OCIL), Common Platform Enumeration (CPE), Open Vulnerability and Assessment Language (OVAL) Definitions, the OVAL Interpreter, Benchmark Editor, and Recommendation Tracker, among other standards and tools, to create good benchmarks that can be automated. Visit the CCE Calendar for information on this and other events. MITRE Hosts Security Automation Developer Days 2009 MITRE hosted the first-ever Security Content Developer Days 2009 on June 8-12, 2009, at MITRE in Bedford, Massachusetts, USA. This free five-day conference was technical in nature and focus on the U.S. National Institute of Standards and Technology’s (NIST) Security Content Automation Protocol (SCAP). The purpose of the event was for the community to discuss SCAP in technical detail and to derive solutions that benefit all concerned parties. Discussion topics include NIST SP 800-126, SCAP content management, lifecycle, validation, and remediation; OVAL®, XCCDF, emerging specifications, and perceived gaps in standards coverage; ontology; and use cases. CCE was also mentioned. For additional information visit the Developer Days page on the Making Security Measurable Web site. June 3, 2009 CCE Mentioned in Article about SCAP in Computerworld CCE was mentioned in an article entitled "How SCAP Brought Sanity to Vulnerability Management" in Computerworld on May 11, 2009. The main topic of the article is the U.S. National Institute of Standards and Technology’s (NIST) Security Content Automation Protocol (SCAP). CCE is mentioned when the author explains that "SCAP is part of the Information Security Automation Program and is made up of a collection of existing standards. These standards include some that many of us are already familiar with, such as the Common Vulnerabilities and Exposures (CVE) and the Common Vulnerability Scoring System (CVSS). Additionally, it includes the Common Platform Enumeration (CPE), a standard to describe a specific hardware, OS and software configuration. This is helpful for enumerating assets, giving you your baseline information to apply all of this data; the Common Configuration Enumeration (CCE), very similar to CVE but dealing with misconfiguration issues; the Open Vulnerability and Assessment Language (OVAL) to provide schemas that describe the inventory of a computer, the configuration on that computer and a report of what vulnerabilities were found on that computer; and Extensible Configuration Checklist Description Format (XCCDF), a description language to help you apply your technical policies and standards to your scanning tools." The author also provides an example of SCAP in action: "Let’s see how this helps me in building a real solution. As a head of a vulnerability management program as discussed earlier, I am sitting on data from application security assessment tools, host and network scanners, and database vulnerability and configuration scanners. In reality, this includes multiple products and services for application security, as well as multiple tools for host and network assessments. I set out by taking advantage of APIs when available from the assessment tool providers as well as XML data feeds. Utilizing the code I’ve just written to automate the movement of the data, I now need to map this information to a normalized schema, taking advantage of the SCAP standards. This is a big deal! I now have a common way to describe the vulnerabilities. I can eliminate duplicates that reference the same CVE on the same platforms." CCE Mentioned in Article about SCAP in Government Computer News CCE was mentioned in an article entitled "Draft guidelines issued for using SCAP to automate security validation" in Government Computer News on May 7, 2009. The main topic of the article is the U.S. National Institute of Standards and Technology’s (NIST) Special Publication 800-117: Guide to Adopting and Using the Security Content Automation Protocol that specifies how enterprises can use its Security Content Automation Protocol (SCAP), and a revised version of its testing requirements that security products using SCAP must meet to achieve SCAP validation entitled Draft NIST Interagency Report 7511: Security Content Automation Protocol Validation Program Test Requirements, Revision 1. CCE is mentioned in the article as one of the six open standards SCAP uses for enumerating, evaluating, and measuring the impact of software problems and reporting results: "Common Configuration Enumeration, a dictionary of names for software security configuration issues, such as access control settings and password policy settings." The other five standards are Common Vulnerabilities and Exposures (CVE), Open Vulnerability and Assessment Language (OVAL), Common Platform Enumeration (CPE), Extensible Configuration Checklist Description Format (XCCDF), and Common Vulnerability Scoring System (CVSS). Comments on draft guidelines 800-117 are due to NIST by June 12, 2009 and should sent to 800-117comments@nist.gov and include "Comments SP 800-117" in the subject line. May 20, 2009 Conference Agenda Released for Security Automation Developer Days, June 8-12 A conference agenda has been posted for the first-ever Security Automation Developer Days 2009 conference to be held on June 8-12, 2009, at MITRE in Bedford, Massachusetts, USA. The free five-day conference will be technical in nature and focus on the U.S. National Institute of Standards and Technology’s (NIST) Security Content Automation Protocol (SCAP). To register for this free conference visit http://www.mitre.org/register/scap/. Instruction on Using CCE Included in MITRE’s Free Benchmark Development Course, May 26-27 MITRE is scheduled to hold a Free Benchmark Development Course at MITRE Corporation in McLean, Virginia, USA on May 26-27, 2009. The instruction on using CCE Identifiers in benchmark development is included in a section of the course entitled "Map Guidance to Existing Control Standards." The course explains the overall benefits of using CCE for fast and accurate correlation of common system configuration issues by different groups of people, between different tools, and across repositories; provides an example of a CCE Identifier and the information it includes; and teaches how to map to CCE Identifiers in benchmarks. The main purpose of the course is to share MITRE’s experience and knowledge with vendors, security content developers, and others on how to use industry standards and free tools to create automatable security guidance that helps system administrators configure and operate systems securely. In addition to instruction on how to use CCE, the course also explains how and why to use Extensible Configuration Checklist Description Format (XCCDF), Open Checklist Interactive Language (OCIL), Common Platform Enumeration (CPE), Open Vulnerability and Assessment Language (OVAL) Definitions, the OVAL Interpreter, Benchmark Editor, and Recommendation Tracker, among other standards and tools, to create good benchmarks that can be automated. Visit the CCE Calendar for information on this and other events. May 6, 2009 CCE List Content Updated The following new CCE List platform group download files are now available on the CCE List page as of May 6, 2009: AIX 5.3; HP-UX 11.23; Red Hat Enterprise Linux 4; and Sun Solaris 8 and Sun Solaris 9. In addition, the Red Hat Enterprise Linux 5 file and the combined All Platform Groups file have been updated as of May 6, 2009. Details have been sent to the CCE Working Group list. Anyone who is not a member of the CCE Working Group can contact cce@mitre.org for more details on what has changed in this release. Older versions of the lists are also available by email request to cce@mitre.org. MITRE to Host Security Automation Developer Days, June 8-12 MITRE is scheduled to host the first-ever Security Automation Developer Days 2009 on June 8-12, 2009, at MITRE in Bedford, Massachusetts, USA. This free five-day conference will be technical in nature and focus on the U.S. National Institute of Standards and Technology’s (NIST) Security Content Automation Protocol (SCAP). The purpose of the event is for the community to discuss SCAP in technical detail and to derive solutions that benefit all concerned parties. Currently scheduled discussion topics include NIST SP 800-126, SCAP content management, lifecycle, validation, and remediation; OVAL®, XCCDF, emerging specifications, and perceived gaps in standards coverage; ontology; and use cases. CCE will also be mentioned. For additional information or to register visit http://www.mitre.org/register/scap/. MITRE Hosts "Making Security Measurable" Booth at RSA 2009 MITRE hosted a Making Security Measurable booth at RSA 2009 at the Moscone Center in San Francisco, California, USA, on April 20-24, 2009. Booth photos: 
Visit the CCE Calendar for information on this and other events. Information Systems Security Association (ISSA) Awards MITRE as "Outstanding Organization of the Year 2008"
MITRE was nominated for the award by the ISSA Northern Virginia Chapter for its role as a long-time supporter of the association and the information security profession, and for the development of publicly available solutions to thwart cybercrime, such as its "honeyclient" open-source package that proactively monitors Internet servers for fast-running, malicious programs designed to infect user systems. "We see it as part of our public service mission to support the information security profession, including sharing knowledge we’ve developed to safeguard data and protect it from misuse," said Al Grasso, MITRE president and chief executive. "Recognition by ISSA tells us we’re meeting this critical responsibility." In the past decade, MITRE has developed four of the six security standards that comprise the National Institute of Standards and Technology’s Security Content Automation Protocol, or SCAP. The four standards — Common Vulnerabilities and Exposures (CVE®); Open Vulnerability and Assessment Language (OVAL®); Common Platform Enumeration (CPE™); and Common Configuration Enumeration (CCE™) — are also part of MITRE’s "Making Security Measurable" effort. April 1, 2009 MITRE to Host "Making Security Measurable" Booth at RSA 2009 MITRE is scheduled to host a Making Security Measurable booth at RSA 2009 at the Moscone Center in San Francisco, California, USA, on April 20-24, 2009. Please stop by Booth 2411 and say hello! Visit the CCE Calendar for information on this and other events. CCE/Making Security Measurable Briefing Presented at DHS/DoD/NIST SwA Forum CCE Team Member and CWE Program Manager Robert A. Martin presented a briefing about CCE/Making Security Measurable to the DHS/DoD/NIST SwA Forum on March 10-12, 2009 at MITRE Corporation in McLean, Virginia, USA. Visit the CCE Calendar for information on this and other events. March 11, 2009 Instruction on Using CCE Included in MITRE’s Free Benchmark Development Course, April 8 MITRE is scheduled to hold a Free Benchmark Development Course at MITRE Corporation in McLean, Virginia, USA on April 8, 2009. The instruction on using CCE Identifiers in benchmark development is included in a section of the course entitled "Map Guidance to Existing Control Standards." The course explains the overall benefits of using CCE for fast and accurate correlation of common system configuration issues by different groups of people, between different tools, and across repositories; provides an example of a CCE Identifier and the information it includes; and teaches how to map to CCE Identifiers in benchmarks. The main purpose of the course is to share MITRE’s experience and knowledge with vendors, security content developers, and others on how to use industry standards and free tools to create automatable security guidance that helps system administrators configure and operate systems securely. In addition to instruction on how to use CCE, the course also explains how and why to use Extensible Configuration Checklist Description Format (XCCDF), Open Checklist Interactive Language (OCIL), Common Platform Enumeration (CPE), Open Vulnerability and Assessment Language (OVAL) Definitions, the OVAL Interpreter, Benchmark Editor, and Recommendation Tracker, among other standards and tools, to create good benchmarks that can be automated. Visit the CCE Calendar for information on this and other events. MITRE Hosts "Making Security Measurable" Booth at InfoSec World 2009 MITRE hosted a Making Security Measurable booth at MIS Training Institute’s (MISTI) InfoSec World Conference & Expo 2009 at the Disney Coronado Springs Resort, in Orlando, Florida, USA, on March 9-10, 2009. Visit the CCE Calendar for information on this and other events. February 25, 2009 CCE Mentioned in Top Twenty Most Critical Security Controls Document CCE was mentioned in Draft 1.0 of the "Twenty Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance" consensus document released by a consortium of federal agencies and private organizations on February 23, 2009. The document, which uses "knowledge of actual attacks and defines controls that would have stopped those attacks from being successful," includes 15 critical controls that are subject to automated measurement and validation and an additional 5 critical controls that are not. CCE is mentioned as follows in a section about why the list is so important for chief information security officers (CISOs), chief information officers (CIOs), federal inspectors general, and auditors: "This effort also takes advantage of the success and insights from the development and usage of standardized concepts for identifying, communicating, and documenting security-relevant characteristics/data. These standards include the following: common identification of vulnerabilities (Common Vulnerabilities and Exposures-CVE), definition of secure configurations (Common Configuration Enumeration-CCE), inventory of systems and platforms (Common Platform Enumeration-CPE), vulnerability severity (Common Vulnerability Scoring System-CVSS) and identification of application weaknesses (Common Weaknesses Enumeration-CWE). These standards have emerged over the last decade through collaborative research and deliberation between government, academia and industry. While still evolving, several of these efforts in standardization have made their way into commercial solutions and government, industry, and academic usage. Perhaps most visible of these has been the Federal Desktop Core Configuration (FDCC) which leveraged the Security Content Automation Program (SCAP)." The draft is available for public review and comment at www.gilligangroupinc.com, www.csis.org, and www.sans.org/cag until March 23, 2009. MITRE to Host "Making Security Measurable" Booth at InfoSec World 2009, March 9-10 MITRE is scheduled to host a Making Security Measurable booth at MIS Training Institute’s (MISTI) InfoSec World Conference & Expo 2009 at the Disney Coronado Springs Resort, in Orlando, Florida, USA, on March 9-10, 2009. Please stop by booth 531 and say hello. Visit the CCE Calendar for information on this and other events. February 11, 2009 MITRE Hosts "Making Security Measurable" Booth at 2009 Information Assurance Symposium MITRE hosted a Making Security Measurable booth at the 2009 Information Assurance Symposium at the Sheraton Dallas International Conference and Exposition Center, in Dallas, Texas, USA, on February 3-6, 2009. The symposium is designed to bring together industry, government, and military information assurance professionals with "the latest Information Assurance (IA) products and solutions available to secure voice and data networks." Visit the CCE Calendar for information on this and other events. January 28, 2009 MITRE to Host "Making Security Measurable" Booth at 2009 Information Assurance Symposium, February 3-6 MITRE is scheduled to host a Making Security Measurable booth at the 2009 Information Assurance Symposium at the Sheraton Dallas International Conference and Exposition Center, in Dallas, Texas, USA, on February 3-6, 2009. The symposium is designed to bring together industry, government, and military information assurance professionals with "the latest Information Assurance (IA) products and solutions available to secure voice and data networks." Please stop by booth 301 and say hello. Visit the CCE Calendar for information on this and other events. January 15, 2009 CCE List Content Updated The following CCE List platform group download files have been updated on the CCE List page as of January 15, 2009: Windows Vista, Windows XP, Windows 2000, Windows Server 2008, Windows Server 2003, Microsoft Office 2007, Internet Explorer 7, and the combined All Platform Groups. There are 352 total new CCEs in this release: Office 2007 – 5; Vista – 25; Windows 2000 – 257; Windows 2003 – 25; Windows 2008 – 25; and Windows XP – 15. In addition, a number of entries were modified or deprecated. Details have been sent to the CCE Working Group list. Anyone who is not a member of the CCE Working Group can contact cce@mitre.org for more details on what has changed in this release. Older versions of the lists are also available by email request to cce@mitre.org. January 7, 2009 MITRE Announces Initial "Making Security Measurable" Calendar of Events for 2009 MITRE has announced its initial Making Security Measurable calendar of events for 2009. Details regarding MITRE’s scheduled participation at these events are noted on the CCE Calendar page. Each listing includes the event name with URL, date of the event, location, and a description of our activity at the event.
Other events may be added throughout the year. Visit the CCE Calendar for information or contact cce@mitre.org to have MITRE present a briefing or participate in a panel discussion about CCE, CVE, CPE, CAPEC, CWE, CEE, CRF, OVAL, and/or Making Security Measurable at your event. |
||||
MITRE Corporation was recognized as "