--- 1/draft-ietf-sacm-terminology-01.txt 2014-01-17 09:14:34.103891017 -0800 +++ 2/draft-ietf-sacm-terminology-02.txt 2014-01-17 09:14:34.131891729 -0800 @@ -1,21 +1,21 @@ Security Automation and Continuous Monitoring WG D. Waltermire Internet-Draft NIST Intended status: Informational A. Montville -Expires: April 22, 2014 TW +Expires: July 17, 2014 CIS D. Harrington Effective Software - October 19, 2013 + January 13, 2014 Terminology for Security Assessment - draft-ietf-sacm-terminology-01 + draft-ietf-sacm-terminology-02 Abstract This memo documents terminology used in the documents produced by the SACM WG (Security Automation and Continuous Monitoring). Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. @@ -23,66 +23,514 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on April 22, 2014. + This Internet-Draft will expire on July 17, 2014. Copyright Notice - Copyright (c) 2013 IETF Trust and the persons identified as the + Copyright (c) 2014 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Terms and Definitions . . . . . . . . . . . . . . . . . . . . 2 - 2.1. Requirements Language . . . . . . . . . . . . . . . . . . 6 - 3. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 - 4. Security Considerations . . . . . . . . . . . . . . . . . . . 6 - 5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 6 - 6. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 6 - 6.1. ietf-sacm-terminology-01- to -02- . . . . . . . . . . . . 6 - 6.2. -00- draft . . . . . . . . . . . . . . . . . . . . . . . 7 - 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 7 - 7.1. Normative References . . . . . . . . . . . . . . . . . . 7 - 7.2. Informative References . . . . . . . . . . . . . . . . . 7 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7 + 2.1. Terms Extracted from UC -05 Draft . . . . . . . . . . . . 2 + 2.2. Terms from -01 Terminology Draft . . . . . . . . . . . . 12 + 2.3. Requirements Language . . . . . . . . . . . . . . . . . . 15 + 3. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15 + 4. Security Considerations . . . . . . . . . . . . . . . . . . . 16 + 5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 16 + 6. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 16 + 6.1. ietf-sacm-terminology-01- to -02- . . . . . . . . . . . . 16 + 6.2. ietf-sacm-terminology-01- to -02- . . . . . . . . . . . . 16 + 6.3. -00- draft . . . . . . . . . . . . . . . . . . . . . . . 16 + 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 16 + 7.1. Normative References . . . . . . . . . . . . . . . . . . 16 + 7.2. Informative References . . . . . . . . . . . . . . . . . 16 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 16 1. Introduction Our goal with this document is to improve our agreement on the terminology used in documents produced by the IETF Working Group for Security Automation and Continuous Monitoring. Agreeing on terminology should help reach consensus on which problems we're trying to solve, and propose solutions and decide which ones to use. This document is expected to be temorary work product, and will probably be incorporated into the architecture or other document. 2. Terms and Definitions +2.1. Terms Extracted from UC -05 Draft + + The following terms were extracted from: http://tools.ietf.org/html/ + draft-ietf-sacm-use-cases-05 + + acquisition method + + actor + + actual endpoint state + + ad hoc collection task + + ad hoc evaluation task + + applicable data collection content + application + + appropriate actor + + appropriate application + + appropriate operator + + approved configuration + + approved endpoint configuration + + approved hardware list + + approved software list + + artifact + + artifact age + + assessment criteria + + assessment cycle + + assessment planning + + assessment subset + + assessment trigger + + asset characteristics + + asset management + + asset management data + + asset management system + + asynchronous compliance assessment + + asynchronous vulnerability assessment + + attack condition + + attribute + + automatable configuration guide + automatable configuration guide definition + + automatable configuration guide publication + + automated checklist verification + + automated endpoint compliance monitoring + + baseline + + baseline compliance + + building block + + business logic + + candidate endpoint target + + capability + + change detection + + change event + + change event monitoring + + change filter + + change management + + change management program + + checklist + + checklist identification + + checklist verification + + client endpoint + + collected posture attribute value + + collection content acquisition + + collection process + + collection request + collection task + + complete assessment cycle + + compliance + + compliance level + + compliance monitoring + + computing platform endpoint + + configuration baseline + + configuration data + + configuration item + + configuration item change + + configuration management + + content + + content change detection + + content data store + + content definition + + content instance + + content publication + + content query + + content repository + + content retrieval + + criteria + + critical vulnerability + + current sign of malware infection + + data analysis + data collection + + data collection content + + data collection path + + data store query + + database mining + + define content + + desired state + + desired state identification + + detection timeliness + + deviation notification + + discovery + + endpoint + + endpoint attribute + + endpoint compliance monitoring + + endpoint component inventory + + endpoint discovery + + endpoint event + + endpoint identification + + endpoint information analysis and reporting + + endpoint metadata + + endpoint posture + + endpoint posture assessment + + endpoint posture attribute + + endpoint posture attribute value + endpoint posture attribute value collection + + endpoint posture change monitoring + + endpoint posture compliance + + endpoint posture deviation + + endpoint posture deviation detection + + endpoint posture monitoring + + endpoint state + + endpoint target + + endpoint target identification + + endpoint type + + enterprise + + enterprise function + + enterprise function definition + + enterprise policy + + enterprise standards + + evaluating data + + evaluation content acquisition + + evaluation task + + evaulation result + + event-driven notification + + expected function + + expected state + + expected state criteria + + function + functional capability + + immediate detection + + indicator of compromise + + industry group + + information expression + + information model + + malicious activity + + malicious configuration item + + malicious hardware + + malicious software + + malware infection + + manual endpoint compliance monitoring + + mobile endpoint + + monitoring + + network access control + + network access control decision + + network event + + network infrastructure endpoint + + network location + + network-connection-driven data collection + + new vulnerability + + on-demand detection + + ongoing change-event monitoring + + ongoing-event-driven endpoint-posture-change monitoring + ongoing-event-driven monitoring + + operational data + + operations + + organizational policy + + organizational policy compliance + + organizational security posture + + patch + + patch change + + patch management + + performance condition + + periodic collection request + + periodic data collection + + policy + + posture aspect + + posture aspect change + + posture attribute + + posture attribute evaluation + + posture attribute identification + + posture attribute value + + posture attribute value collection + + posture attribute value query + + posture change + + posture deviation + + posture deviation detection + posture evaluation + + previously collected information + + previously collected posture attribute value + + previously collected posture attribute value analysis + + process + + public content repository + + publication metadata + + publication operations + + publish content + + query + + regulatory authority + + repository + + repository content identification + + repository content retrieval + + result + + result set + + retrieve content + + risk + + risk management + + risk management program + + scheduled task + + search criteria + + secure configuration baseline + + security administrator + security automation + + security posture + + security process + + server endpoint + + significant endpoint event + + significant event + + signs of infection + + state criteria + + supporting content + + target + + target endpoint + + task + + trigger + + unauthorized configuration item + + unauthorized hardware + + unauthorized software + + vulnerability + + vulnerability artifact + + vulnerability artifact age + + vulnerability condition + + vulnerability exposure + + vulnerability management + + vulnerability mitigation + + vulnerability remediation + whole assessment + + workflow trigger + +2.2. Terms from -01 Terminology Draft + assessment Defined in [RFC5209] as "the process of collecting posture for a set of capabilities on the endpoint (e.g., host-based firewall) such that the appropriate validators may evaluate the posture against compliance policy." Within this document the use of the term is expanded to support other uses of collected posture (e.g. reporting, network enforcement, vulnerability detection, license management). The @@ -240,45 +686,54 @@ are well understood and easily made, and if the vulnerable system is employed by a wide range of users, then it is likely that there will be enough motivation for someone to launch an attack. Vulnerability Management The process of mitigating the ability to exploit a vulnerability, via defect removal or protective measures such that exploitation becomes impossible or highly unlikely. (from Chris Inacio) -2.1. Requirements Language +2.3. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119]. 3. IANA Considerations This memo includes no request to IANA. 4. Security Considerations This memo documents terminology for security automation. While it is about security, it does not affect security. 5. Acknowledgements 6. Change Log 6.1. ietf-sacm-terminology-01- to -02- + Added simple list of terms extracted from UC draft -05. It is + expected that comments will be received on this list of terms as to + whether they should be kept in this document. Those that are kept + will be appropriately defined or cited. + +6.2. ietf-sacm-terminology-01- to -02- + Added Vulnerability, Vulnerability Management, xposure, Misconfiguration, and Software flaw. -6.2. -00- draft +6.3. -00- draft + + o 7. References 7.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. 7.2. Informative References @@ -283,34 +738,33 @@ 7.2. Informative References [RFC4949] Shirey, R., "Internet Security Glossary, Version 2", RFC 4949, August 2007. [RFC5209] Sangster, P., Khosravi, H., Mani, M., Narayan, K., and J. Tardo, "Network Endpoint Assessment (NEA): Overview and Requirements", RFC 5209, June 2008. Authors' Addresses - David Waltermire National Institute of Standards and Technology 100 Bureau Drive Gaithersburg, Maryland 20877 USA Email: david.waltermire@nist.gov Adam W. Montville - Tripwire, Inc. - 101 SW Main Street, Suite 1500 - Portland, Oregon 97204 + Center for Internet Security + 31 Tech Valley Drive + East Greenbush, New York 12061 USA - Email: amontville@tripwire.com + Email: adam.montville@cisecurity.org David Harrington Effective Software 50 Harding Rd Portsmouth, NH 03801 USA Email: ietfdbh@comcast.net