That's a good point Joe. We will see what we can do to clarify this up front and improve the readability and expectations of the document.
Yes, I think a vulnerability report could look like the one you referenced although the scenario document does not prescribe any format/representation/etc. for a vulnerability report. Thanks, Danny -----Original Message----- From: Wolfkiel, Joseph L CIV DISA ID (US) [mailto:[email protected]] Sent: Wednesday, December 02, 2015 8:53 AM To: Haynes, Dan <[email protected]>; Romascanu, Dan (Dan) <[email protected]>; Linda Dunbar <[email protected]>; [email protected]; [email protected] Cc: [email protected] Subject: Re: [sacm] [OPSAWG] Feedback on the SACM Vulnerability Assessment Scenario I think the disappointment may have been headed off if the document was more explicit, right at the beginning, about what a "vulnerability report" is. I got 2/3 of the way through the document before I understood that "vulnerability report" and "vulnerability definition" are effectively the same construct. A vulnerability report apparently is an announcement that a vulnerability has been discovered and defined to the point where endpoint managers can run assessments on their endpoints to determine if their endpoints have the vulnerability or not. This concept is confusing because generally, with existing vulnerability scanners, new vulnerability "reports" are a subset of updated vulnerability definitions that automatically propagated to the tools and aren't delivered as stand-alone "reports". So a vulnerability "report" would look something like the report at https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8395 (I think). Joseph L. Wolfkiel SCM Engineering Lead DISA ID52 Fort Meade DISA Acquisiton Bldg Cube A4A58E Work: (301) 225-8820 Gov Cell: (571) 814-8231 [email protected] -----Original Message----- From: sacm [mailto:[email protected]] On Behalf Of Haynes, Dan Sent: Wednesday, December 02, 2015 8:36 AM To: Romascanu, Dan (Dan); Linda Dunbar; [email protected]; [email protected] Cc: [email protected] Subject: Re: [sacm] [OPSAWG] Feedback on the SACM Vulnerability Assessment Scenario Hi Linda, Please let us know if there are any specific questions that we can answer for you, to help clarify the document, after considering it in the context of the SACM charter as Dan mentioned. Thanks, Danny From: OPSEC [Caution-mailto:[email protected]] On Behalf OfRomascanu, Dan (Dan) Sent: Sunday, November 22, 2015 9:48 AM To: Linda Dunbar <[email protected]>; [email protected]; [email protected] Cc: [email protected] Subject: Re: [OPSEC] [sacm] [OPSAWG] Feedback on the SACM Vulnerability Assessment Scenario Hi Linda, Thanks for answering the call for review and having a look at this work. Concerning your 'little disappointment': This I-D needs to be read in the context of the current charter of the SACM WG. The WG charter focus for this phase is on the 'endpoint posture' and on the 'enterprise use case'. Maybe this makes things somehow more clear. Regards, Dan From: sacm [Caution-mailto:[email protected] < Caution-mailto:[email protected] > ]On Behalf Of Linda Dunbar Sent: Thursday, November 19, 2015 10:36 PM To: Romascanu, Dan (Dan); [email protected] < Caution-mailto:[email protected] > ;[email protected] < Caution-mailto:[email protected] > Cc: [email protected] < Caution-mailto:[email protected] > Subject: Re: [sacm] [OPSAWG] Feedback on the SACM Vulnerability Assessment Scenario Reading through the document has made me feel that the Title of the draft is misleading. Based on the title I was expecting to see the Vulnerability Assessment of various network scenarios, which will be very useful information for enterprise and service provider network administrators to put in adequate tools to protect those vulnerability. But the document only describes the procedure in authenticating a end user/points and states that you need to compare with the Vulnerability report (almost like a common sense ) without saying how and what. I guess I had too high the expectation, but a little disappointed of not finding the information I was looking for. Linda Dunbar From: OPSAWG [Caution-mailto:[email protected] < Caution-mailto:[email protected] > ]On Behalf Of Romascanu, Dan (Dan) Sent: Thursday, November 19, 2015 7:51 AM To: [email protected] < Caution-mailto:[email protected] > ; [email protected] < Caution-mailto:[email protected] > Cc: [email protected] < Caution-mailto:[email protected] > Subject: [OPSAWG] Feedback on the SACM Vulnerability Assessment Scenario Hi, I am reiterating a request that I made at IETF 94 in the OPSAWG meeting, and also sent to the mail lists of opsec and opsawg. The SACM WG is considering a documentCaution-https://datatracker.ietf.org/doc/draft-coffin-sacm-vuln-scen ario/ < Caution-https://urldefense.proofpoint.com/v2/url?u=https-3A__datatracker.iet f.org_doc_draft-2Dcoffin-2Dsacm-2Dvuln-2Dscenario_&d=BQMFAg&c=BFpWQw8bsuKpl1 SgiZH64Q&r=I4dzGxR31OcNXCJfQzvlsiLQfucBXRucPvdrphpBsFA&m=DXOABUhWgQkWYGVviFz uEvwgbivmgrBaeyHQ3_W-Hyg&s=S_CieVlne2x4XqE2cNL0Y_mb0dcPAGm4cN6hKa5k-6Q&e= > that describes the operational practice of vulnerability reports, which we believe is an important use case in the security assessment life cycle. We are requiring feedback from operators about the scenario describe in this document - does it make sense? Is it similar with what you do in operational real life? Are you using similar or different methods for vulnerability assessment in your networks? A quick reading and short feedback would be greatly appreciated. Thanks and Regards, Dan
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
