Vender Provided Validation Details - Lumension Security’s PatchLink Security Manager (SCM) for Scan v 1

Vender Provided Validation Details - Lumension Security’s PatchLink Security Manager (SCM) for Scan v 1.2

The following text was provided by the vendor during testing to describe how the product implements the specific capabilities.

Statement of SCAP Implementation

PatchLink SCM is an open, standards-based solution that enables customers to leverage the wealth of knowledge and content from leading security think tanks like the National Institute for Security and Technology’s (NIST) repository, the world’s largest open repository of vulnerability, patch, and configuration assessments, dramatically reduce their ‘time to security’, and deliver instant value from their investment. The best practices content in this repository, created and approved by the security community, is based upon the SCAP open set of standards, a combination of six common vulnerability identification standards including CVE, OVAL, CPE, CCE, XCCDF and CVSS in a future stage.

PatchLink SCM will allow Administrators to upload the SCAP Archive thru the Configuration Policy Manager Web Page. This page allows the Administrators to select the desired benchmark and profile for quick assessment. The Configuration Policy Manager also allows multiple benchmarks to be assigned to a policy for mixed or heterogeneous environments.

Statement of CVE Implementation

Common Vulnerabilities and Exposures (CVE) is a list or dictionary that provides common identifiers for publicly known information security vulnerabilities and exposures. Using a common identifier makes it easier to share data across separate databases and tools that until CVE were not easily integrated.

PatchLink SCM adopts CVE by displaying CVE ID’s for missing security patches or software vulnerabilities. Users can also select the CVE ID to hyperlink directly to the public National Vulnerability Database (NVD) hosted by NIST. The CVE references can be viewed by navigating to Groups > Compliance Detail > Select a Device Name that has been scanned > Expand the Benchmark > drill thru the tree and select the hyperlink of the test to launch the detailed assessment results page.

Users can also search for CVE ID’s by navigating to the Vulnerabilities Page and enter the CVE ID in the Name/CVE No search field to display detail results and to identify additional systems that are applicable to the software vulnerability.

Statement of CCE Implementation

The Common Configuration Enumeration (CCE) provides common identifiers to system configurations in order to facilitate fast and accurate correlation of configuration data across multiple information sources and tools. The CCE ID's are included in the SCAP data streams to map security best practices to computer configurations. PatchLink SCM will display the CCE ID's after a computer has completed the scan and is hosted in XML format on the SCM Server for further analysis. CCE ID’s are also available when exporting the scan results.

PatchLink SCM™ is an open, standards-based solution that enables customers to leverage the wealth of knowledge and content from leading security think tanks like the National Institute for Security and Technology’s (NIST) repository, the world’s largest open repository of vulnerability, patch, and configuration assessments, dramatically reduce their ‘time to security’, and deliver instant value from their investment. The best practices content in this repository, created and approved by the security community, is based upon the SCAP open set of standards, a combination of six common vulnerability identification standards including CVE, OVAL, CPE, CCE, XCCDF and CVSS

Statement of CPE Implementation

The Common Platform Enumeration (CPE) is a structured naming scheme for information technology systems, software, and packages. CPE is simply a standards based dictionary of software product names.

PatchLink SCM adopts CPE to verify that configuration scans are not conducted on systems that are not applicable to the Benchmark or Profiles. This allows Administrators to include security benchmarks that are applicable to Windows 2000, Windows XP, Windows 2003, and Windows Vista systems into a single configuration policy.

Administrators can assign this configuration policy to the built-in Windows System Group which can be cascaded down to child groups like Windows 2000, Windows XP, Windows 2003, Windows Vista systems. Administrators can easily review the scan results for each operating system version to get a complete view of their assessment results. This will ensure no additional resource overhead will exist on systems being scanned for a benchmark that is not applicable to that system.

Statement of CVSS Implementation

The Common Vulnerability Scoring System (CVSS) is an open standard for assigning scores to a vulnerability that indicates its relative severity compared to other vulnerabilities. It offers visibility into how each score was calculated by revealing the underlying vulnerability characteristics that are inputs to the score calculation.

PatchLink SCM adopts CVSS by displaying CVE ID’s for missing security patches or software vulnerabilities. Users can also select the CVE ID to hyperlink directly to the public National Vulnerability Database (NVD) hosted by NIST. The CVE references can be viewed by navigating to Groups > Compliance Detail > Select a Device Name that has been scanned > Expand the Benchmark > drill thru the tree and select the hyperlink of the test to launch the detailed assessment results page. Once the detailed assessment results page has been launched, users can click on the CVE ID that will hyperlink to the NVD website where the CVSS severity score is displayed.

Statement of XCCDF Implementation

The Extensible Configuration Checklist Description Format (XCCDF) is a specification language for writing security checklists, benchmarks, and related kinds of documents. An XCCDF document represents a structured collection of security configuration rules for some set of target systems. The specification is designed to support information interchange, document generation, organizational and situational tailoring, automated compliance testing, and compliance scoring.

XCDDF is used by the PatchLink SCM agent that interprets the checklist, scans the system, and posts the results to the PatchLink SCM Server to collect the results. The results can be viewed by:

Viewing the Compliance Summary View for a high level summary of the scan results.

Viewing the Compliance Detail View for a detailed and drill-thru view of scan results.

Viewing the Device Configuration Policies View for a more thorough review of the scan results which also displays a tree-view detail of each rule or checklist item.

Configuration Policy Reports – 5 Canned reports that can be used to report the results of the scan.

Statement of OVAL Implementation

The Open Vulnerability and Assessment Language (OVAL) is an open standard XML language to promote open and publicly available security content, and to standardize the transfer of this information across the entire spectrum of security tools and services.

PatchLink SCM uses OVAL during the scan or assessment for the selected system to evaluate, carry out, and report the results of the OVAL Definitions for that platform.

The OVAL Definition ID can be retrieved to by navigating to Groups > Compliance Detail > Select a Device Name that has been scanned > Expand the Benchmark > Expand the desired check > click on the check name to display the Detailed Assessment Results Page using the XML View.

The OVAL Test ID can retrieved to by navigating to Groups > Compliance Detail > Select a Device Name that has been scanned > Expand the Benchmark > Expand the desired check > click on the check name to display the Detailed Assessment Results Page using the Table View.