Glossary and Terms

 

Asset

Scan targets that have been discovered and collected into the Security Suite or SAINTCloud data repository are considered Assets. Unlike Target Groups, that are logical collections of ‘like’ scan targets, identified by a network address identifier (IP address; Hostname; URL; etc.), Assets represent actual, physically identified hosts that have been scanned by the scan engine.

Asset Tag

Asset Tags are descriptive names that logically describe a scanned host (aka Asset). They are designed as Key:Value pairs, to support local requirements for tracking, managing and analyzing scan results in a business context. For example, an Asset Tag with key=”Criticality” can have one or more values, such as High, Medium and Low. The Assets component of SAINT products provide the capability to create Asset Tags and then associate them to hosts that have been scanned and stored in the asset repository. For example, IP=”10.2.0.1” with Hostname=’local.Msmith” can be associated with an Asset Tag “Criticality=High”. Once tagged, scan jobs can be created by Asset Tags to manage scan activity in a business context, as well as used in analysis and reporting to prioritize remediation efforts with the same business context.

Asset Identification (AI)

Asset Identification (AI), under SCAP, is a format for uniquely identifying assets based on known identifiers and/or known information about the assets. The SCAP specification describes the purpose of asset identification, a data model for identifying assets, methods for identifying assets, and guidance on how to use asset identification. It also identifies a number of known use cases for asset identification.

 

SAINT Security Suite and SAINTCloud support the AI specification, version 1.1, by generating Asset Identifiers as part of the Asset Report Format (ARF) output. Output generated for scans are executed for any SCAP scan profile or benchmark, for both OVAL and XCCDF content. Asset identifiers are make available as content in the pre-configured ARF output in the SCAP module, by selecting a completed OVAL or XCCDF scan and viewing the ARF Report from the Manage Results Data page. Asset Identifiers are then available to users by selecting individual output files for any target assessed during the scan. The AI and ARF report can then be viewed within the SCAP user interface or exported in XML format to support local requirements and/or compliance reporting.

Asset Reporting Format (ARF)

The Asset Reporting Format (ARF), under SCAP, expresses the transport format of information about assets and the relationships between assets and reports. The SCAP specification prescribes the standardized data model to facilitate the reporting, correlating and fusing of asset information throughout and between organizations.

 

SAINT Security Suite and SAINTCloud support the ARF specification, version 1.1, by generating ARF-formatted output. Output generated for scans are executed for any SCAP scan profile or benchmark, for both OVAL and XCCDF content. ARF formatted output is make available as pre-configured output in the SCAP module, by selecting a complete scan and viewing the SCAP-compatible results from the Manage Results Data page. The final ARF output is then made available as one of the selectable output formats for individual targets assessed during the scan. The ARF report can then be viewed within the SCAP user interface or exported in XML format to support local requirements and/or compliance reporting.

CCE™

Common Configuration Enumeration (CCE) is a dictionary of names for software security configuration issues (e.g., access control settings, password policy settings). As such, CCEs describe system configuration issues to facilitate correlation of configuration data across multiple information sources and tools. SAINT products provide support for CCEs by displaying CCE IDs, in accordance with the specifications and CCE 5.0 schema located at http://cce.mitre.org for each configuration item in scanning results produced for XCCDF scanning policies and profiles. Analytics capability also provides data drill-down and report configuration options that include displaying CCE ID and Descriptions. CCE IDs are displayed in several of the different reports offered via the data analysis in the Benchmark Reports page. These include the required output format defined as “CCE ID, pass/fail” and a detail format which organizes results by XCCDF Rules, and displays results for each XCCDF Rule, to include: the CCE IDs; CCE descriptions; whether or not the CCE passed/failed against the target system; and why the CCE passed/failed against the target system. A policy editor is also provided  to allow users to disable and enable configuration checks by CCE to meet specific network requirements.

Checks (Vulnerability Check)

A vulnerability check is the programming logic used to interrogate a target host for the evidence of a specific vulnerability. A check contains the check ID, a description, the associated CVE identifier, as well as other information used SAINT’s inference engine to determine whether a vulnerability exists.

Confirmed Vulnerability

Vulnerabilities identified using a definitive test, such as an exploit that gains read access to a file on the target or a successfully guessed password.

CPE™

CPE (Common Platform Enumeration) is a structured naming scheme for information technology systems, software and packages. SAINT products provide support for CPE, version 2.3, by using the CPE names which are defined in the official CPE dictionary at http://nvd.nist.gov/cpe.cfm, then mapping all known CVE(s) to the corresponding CPE(s) for a given year. SAINT also facilitates CPE content updates directly from the authoritative source, as a product feature, to remove the burden of data maintenance from the user and to ensure accurate and complete source data when CPE data is used. This CVE-CPE mapping is used within the reporting component as an available option in custom reports.

 

Custom reporting features enable users to select all vulnerabilities in a given severity level, as well as define report parameters and options related to specific vulnerability categories and services, such as CPE, to display the CPE entries corresponding to displayed vulnerability, if any. SAINT’s reporting options also enable users to select the output format from a number of available formats, such as HTML, XML and CSV.

CVE®

CVE (Common Vulnerabilities and Exposures) is a dictionary of publicly known information security vulnerabilities and other information security exposures. The CVE repository is maintained by MITRE and is a free-use site. SAINT products provide support for CVE with the capability to execute vulnerability scans for vulnerabilities, by CVE ID—they internally identify vulnerabilities by proprietary vulnerability check IDs and then cross-references with CVE names. The scan engine returns all vulnerability checks that detect the CVE and includes CVE numbers in its vulnerability data analysis, reports and tutorials for ease of reference to related tools and resources. At the conclusion of vulnerability scan execution, analytics features provide users with the capability to view the list of vulnerabilities and continue the analysis by supporting customized scanning by selected CVE for a given vulnerability or by selecting other categories or values relevant to the analysis.

 

Analytical and report writing features then provide the capability to produce report output containing CVE IDs in a number of formats, such as HTML, XML and CSV. These features also provide hyperlinks to related resources, such as an online CVE Index that includes the CVE ID, description and custom SAINT tutorials; as well as linking directly to the official CVE descriptions at http://cve.mitre.org to facilitate further analysis, assessment and remediation.

 

CVE data is updated dynamically as part of each release/update cycle – routinely twice each week. The “Generated Date” (by MITRE) and “Updated Date” (by SAINT) are part of this content. Note that there is a subclass of CVEs, called "candidates" that are potential CVEs but have not yet been approved. The candidate CVEs are prefixed by "CAN" in the SAINT/CVE cross-reference list. When candidates become approved in a new CVE version, they are moved from the "CAN" section of the cross-reference list to the "CVE" section, and then made available for report output and vulnerability tutorials. The SAINT/CVE cross-reference list includes CAN and CVE entries on the same page, so the browser's search function can search for both CVE and CAN entries when the YYYY-NNNN portion of the identifiers are specified in the search. The complete list of CVEs supported by SAINT can be found on our customer portal site (mySAINT).

CVSS

CVSS (Common Vulnerability Scoring System) is “a vulnerability scoring system designed to provide an open and standardized method for rating Information Technology vulnerabilities framework for communicating the characteristics and impacts of IT vulnerabilities.” CVSS helps organizations prioritize and coordinate a joint response to security vulnerabilities by communicating the base, temporal, and environmental properties of a vulnerability. For more information see the CVSS web site.

 

SAINT products provide support for CVSS through scanning, analysis and reporting capabilities providing users with the capability to create custom scanning policies that include specified CVSS ranges when defining scan levels and setting up custom scans. Reporting options also enable the user to show the CVSS base score and CVSS base vector for each vulnerability detected, as an optional column, when creating custom reports. Custom reporting features within the Report page enable users to select all vulnerabilities in a given severity level, as well as define report parameters and options related to specific vulnerability categories and services, such as CVSS base scores and CVSS base vectors, to display the CPE entries corresponding to displayed vulnerability, if any. SAINT products then enable users to select their output format from a number of available formats, such as HTML, XML and CSV. Additionally, SAINT products provide support for CVSS as part of Payment Card Industry (PCI) Compliance. CVSS base scores are shown as part of PCI compliance reports. CVSS base scores are used as the primary factor in determining whether a given device is compliant during a PCI compliance assessment.

 

SAINT backend processes import CVSS base scores, CVSS vectors and “date generated” from the National Vulnerability Database (NVD), and delivers that information, as well as the date updated, to our customers through our SAINTexpress maintenance release process. The raw CVSS content is stored in the product database and is also available in the configuration sub-directory of the SAINT installation directory (e.g., config/cve-cvss). Each line in the cve-cvss file contains the name of the source file the data following that line was extracted from, along with both the “generated” and “updated” dates for the source file - prefixed with the "#" character.

Distributed Node

Like a Remote Node, a Distributed Node is a term that describes a Scanner Node that is not the default Local Node that is a part of the base installation. A distributed node can be synonymous with a Remote Node, in that the term may also apply to a scanner node that has been installed (e.g. distributed) in a remote location. But, this term is more commonly used to describe any connected scanner other than the default Local Node. For example, for a large network, an installation may include the Manager, Local Node and 25 additional Scanner Nodes to distribute the workload, either through load balancing or directing specific scan jobs across multiple scanners. In this use case, the scanners are note deployed remotely. Simply installed along with the Manager to manage scanning from the central location.

Exploits

An individual exploit is programming logic used to interrogate and penetrate a vulnerable host based on the weakness identified by a vulnerability scan. An individual exploit is specific to a CVE. However, an individual vulnerability may be associated with multiple CVEs, and as a result, may have multiple exploit paths for a single vulnerability.

FDCC

FDCC is the Federal Desktop Core Configuration. The Federal Government first instituted security guidelines in 2007 with a directive from the Office of Management and Budget (OMB) on the “Implementation of Commonly Accepted Security Configurations for Windows Operating Systems.” This directive – called the “Federal Desktop Core Configuration” or FDCC – required agencies to adopt security configurations defined by the National Institute for Standards and Technology (NIST) for Windows XP and Vista operating systems. This initiative has evolved over time into the USGCB. SAINT products provide support to FDCC by ingesting SCAP-expressed data streams and assessing targets for compliance.

FISMA 

The E-Government Act (Public Law 107-347) passed by the 107th Congress and signed into law by the President in December 2002 recognized the importance of information security to the economic and national security interests of the United States. Title III of the E-Government Act, entitled the Federal Information Security Management Act (FISMA) requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.
 

SAINT products provide support to Security Controls CA-7 – Continuous Monitoring; RA-3 – Risk Assessment; and RA-5 – Vulnerability Scanning as a vulnerability scanner and penetration testing tool. SAINT products provide a FISMA scan policy as one of its default scan levels, as well as providing a pre-configured FISMA Vulnerability Assessment Report through the report engine. These capabilities enable managers to use the results of the vulnerability scans to execute penetration testing of target hosts. The results can then be used as “evidence of the potential harm” from the identified vulnerabilities, thus allowing for a more holistic approach to risk analysis and management.

HIPAA

The Health Insurance Portability and Accountability Act (HIPAA), enacted in 1996, mandates that companies take extraordinary steps to protect the medical information they collect from patients. The law affects insurers, hospitals, laboratories, doctor's offices and the pharmaceutical industry. The law also applies to employers who keep employee health data for insurance purposes.
 

SAINT products provide support to HIPAA by providing a customized scanning template that supports requirements from recent compliance requirements and security rules. Related to HIPAA, the scan template is based on standards requirements from the Security Rule, focused on Risk Analysis and Risk Management, as well as overall vulnerability scanning and output specifications outlined through NIST. SAINT products also provide support for a customized HIPAA Vulnerabilities Assessment Report that enables managers to assess their security posture and make informed decisions related to compliance, corrective action and on-going risk management. These capabilities also provide managers with penetration testing tools to attempt exploitation of selected vulnerabilities to gather further evidence of the impact of these vulnerabilities and risk to their assets.

Inferred Vulnerability

Vulnerabilities determined from information such as service banners and software version numbers or potentially derived from the existence of other related vulnerabilities.

Job

A scan Job is the heart of the vulnerability or penetration testing setup and execute. A Job contains a unique name, description, target list, possibly target exclusions (e.g., target list is a Subnet but must exclude individual hosts), a scan policy, authentication credentials (or run as uncredentialed), configured as a single “one off” scan or configured as a recurring scan, and contains specific scanning configurations for all scans to be run for the job. Jobs can be associated with a Target Group, and inherit the targets defined in the group, or can be run and managed outside of a Target Group.

Key (SAINT key)

They key contains all information about your product license and is used by the software to validate the status of the license and retain the current status of your usage. For example, total number of licensed targets and the current usage.

Local Node

A Local Node is the default scanning engine (see Scanner Node) that is pre-installed with all installations that are set up and configured as the main management console. For most installations, this configuration (Manager-Local Node) is the most common deployment for Security Suite.

mySAINT

The mySAINT portal (https://www.saintcorporation.com/cgi-bin/secure/customer/logon.pl)  is the back end customer website that provides content, help, and a lot more to enhance your user experience with SAINT products. This site provides the capability to download licensed products; create and manage license keys; view information about all licensed products; see the details about the latest product updates, vulnerability checks and exploits; download useful tools and help content; view detailed information about product content related to OVAL, XCCDF, exploits and vulnerabilities; and a whole lot more.

Nodes

Each SAINT scan is executed by a SAINT scanner “node”. A scanner Node is an instance of the scanning engine, managed by a Security Suite or SAINTCloud user interface, through the SAINT API or from a command line interface (CLI). The scanner Node receives scan job instructions from the software, communicates between the SAINT inference engine, scanner probes and target hosts; and communicates results back to the software for storage and presentation. Each installation comes pre-packaged with a single scanner node (aka “local node”).

OVAL®

Open Vulnerability and Assessment Language (OVAL) is an international information security standard to promote open and publicly available security content, and to standardize the transfer of this information across the entire spectrum of security tools and services. SAINT products support OVAL definitions of the patch, vulnerability, compliance and inventory class for most platforms and adheres to the latest OVAL schema (e.g., v.5.10.1 as of the date of SCAP v.1.2 validation). The scanning engine then consumes and executes selected definitions and assesses hosts, without the need for a local agent or plugin, to determine and report issues found on the hosts.

 

SAINT products support OVAL compliance checking by allowing users to import OVAL checks (standalone and/or SCAP-expressed data streams) from the OVAL repository, as well as importing user-developed XML files containing OVAL checks. An SCAP-expressed data stream is defined as “a collection of four or more related XML files containing SCAP data using the SCAP components that provide the data necessary to evaluate systems for compliance with a configuration-based security policy.”

 

SAINT products also provide viewing and downloading OVAL result files via the GUI, as well as viewing human readable (non XML) results.

OWASP

SAINT products provide a pre-defined scan policy that spans the OWASP Top 10 Web Application Security Risks. The Open Web Application Security Project (OWASP) organization’s primary focus is on improving the security of software.

Pause Window

 A Pause Window is a scan status indicating an active recurring scheduled scan is currently paused because a Scan Window was defined for the Job and the active job was still running at the time the defined window was reached. The active scan will resume at the start of the next Start/Resume time of the defined scan window.

PCI

Payment Card Industry (PCI). The PCI Security Standards Council (SSC) is the oversight council that defines the technical requirements and specifications required of merchants, service providers and security assessors as it relates to systems that process credit card transactions or contain credit card information. SAINT Corporation is an Approved Scanning Vendor (ASV) certified by the PCI SSC to perform scanning and attestation services applicable to Requirement 11.2 and the ASV Program Guide. SAINT products provide a pre-defined scanning policy, analytics, and pre-defined reporting types that are Requirement 11.2 compliant. SAINT scanning and penetration testing products provide support for many other PCI requirements – most notably requirements for internal vulnerability scanning and internal and external penetration testing.

Policy

A scan policy is a logical grouping of vulnerability checks. For example, a PCI policy is a pre-defined scan option that interrogates target hosts for vulnerabilities and configurations required Requirement 11.2 of the PCI ASV Program Guide.

Probes

A scan “probe” is a collection of vulnerability checks related to a technology or platform (e.g., Microsoft Windows probe). SAINT products provide a mechanism for users to create custom vulnerability checks that will be accessed by probes based on locating the applicable technology or platform signature found during the discovery phase of a scan.

Remote Node

A Remote Node is a term to denote a Scanner Node that is deployed into a remote network or remote location for the purposes of accessing target hosts that may not be accessible from the Manager’s location.  For example, the manager’s location is in a central data center, and a scanner node is deployed into a network in a different state, and makes a secure connection to the central manager used to direct scans to one or more remote mode.

SAINT® ASV

This SAINT product is a SaaS-based (Software-as-a-Solution) ASV scanning and attestation service. This product provides customers with direct access to a scan solution and SAINT's ASV service offering, for those that must comply with Requirement 11.2 of the PCI DSS and ASV Program Guide.

SAINTCloud™

This SAINT product is a SaaS-based (Software-as-a-Solution) solution that provides the full functionality and power of SAINT software and appliance-based software (scanner, configurations, exploit, reporting) but is tailored for those customers that want the convenience of a cloud-based solution with no software installation required and data stored in the cloud. SAINT Cloud is accessed through a secure web portal.

SAINTexpress®

This plug-in is deployed with every installation of the software and is used to communicate back to SAINT’s update server and pull the latest vulnerability checks, exploits, bug fixes and product updates. 

Scans

Scans are the results of running individual scan job instances against targets. Jobs can include individual “one off” scans or they can include multiple scans as a result of scheduled, recurring scan jobs.

Scan Window

A Scan Window is a feature to enable a user to define when recurring scheduled Job scans can be active. For example, schedule a job to run each night, starting at Midnight, but create a Scan Window of Midnight to 5am, nightly. If a scheduled scan is still running as of 5am, the scan will Pause, with a Status of “Pause Window” and resume at the start of the next scan window (midnight).  

Scanner Node

Every installation comes bundled with at least one scanning engine. In SAINT terminology, each scanning engine is called a scanner ‘node’. The default scanner node connected to the management console (aka “Manager”), and part of the default installation, is named “Local Node”. The SAINT architecture does support connecting more than one scanner node to the manager, to manage scalability, capacity and complex network architectures.  For example, scanning remote locations or large-scale environments by connecting multiple scanner nodes to the manager, such as deploying scanners inside of multiple subnets (see Remote Node), assigning scanning permissions to groups of users to individual scanners, and enterprise-level scalability and performance by directing scan jobs across multiple scanners to distribute the workload (see Distributed Node).

SCAP

SAINT Security Suite and SAINTCloud provide support to The Security Content Automation Protocol (SCAP) specification, as an Authenticated Configuration Scanner (ACS), including the Common Vulnerabilities and Exposures (CVE) option. SAINT provides support to SCAP requirements defined for each of these components, as defined in SP 800-126, Revision 2, the SCAP specification, and verified by compliance testing against the Security Content Automation Protocol (SCAP) Version 1.2 Validation Program Test Requirements (NISTIR 7511, Revision 3), dated January 2013 – including updates as of July 2013.

 

SAINT's release strategy includes a numbering convention that supports periodic feature releases (8.x) and security content (8.x.x) that offer added capabilities and functionality since the 8.0 launch. The  version 8.4 major product release was designed and submitted as the first major release to support SCAP Version 1.2 standards. SAINT’s release schedule will continue to support this release strategy, however, these releases will not alter the SCAP component of the product in a manner that impacts compliance with the SCAP v.1.2 specification. Thus, SAINT products will remain compliant with SCAP v.1.2 for 8.4 and above, until the specification requires new validation.

 

SAINT products provide support for open standards languages, enumerations and metrics that currently include XCCDF, OVAL, CCE, CPE, CVE and CVSS, AI, ARF and TMSAD of the specification. SAINT products also provide support for the U.S. Government Configuration Baseline (USGCB) by ingesting valid SCAP-expressed data streams and assessing target configurations against these baselines. These capabilities also provide support for evaluating SCAP content to scan for compliance, vulnerabilities, and patches using both standalone OVAL definition files and OVAL definitions contained in SCAP-expressed data streams.

 

SAINT products complete this capability by providing data analysis, links to external authoritative sources of information, policy editing and reporting interfaces, to facilitate local policy investigation and analysis, as well as compliance reporting in canned and custom presentation of output in machine-readable and many human-readable formats, such as HTML, PDF, XML and CSV.

STIG

Security Technical Implementation Guides (STIGs) and NSA Guides are the configuration standards for DOD IA and IA-enabled devices/systems. A STIG Security Checklist, typically a companion of a STIG, is essentially a document that contains instructions or procedures to manually verify compliance to a STIG. Since 1998, DISA Field Security Operations (FSO) has continued to enhance the security posture of DoD's security systems by providing these STIGs, that contain technical guidance to "lock down" information systems/software that might otherwise be vulnerable to a malicious computer attack. DISA FSO is in the process of moving the STIGs towards the use of the NIST Security Content Automation Protocol (SCAP) in order to be able to “automate” compliance reporting of the STIGs.  SAINT products provide support to STIGs through a combination of SCAP functionality via the XCCDF configuration benchmarks, and through mapping of IAVA codes to vulnerabilities. A Benchmark, in this definition, is an “automated” STIG which may be used in conjunction with an SCAP compliant tool like SAINT Security Suite to provide automated compliance reporting for the applicable STIG. A master list of the current STIGs published by DISA can be found at http://iase.disa.mil/stigs/a-z.html  

Target

Targets are the hosts to be scanned. SAINT scanning solutions currently scan virtually any physical and virtual host with an IP address, both for IPv4 and IPv6 addresses.

Target Group  

This feature allows you to create a logical container or grouping of scan targets in a way that fits business needs, and then associate scans to this logical container. For example, create a Target Group for a subnet at a physical location to reduce the setup time to create jobs for that location's network range (Target Group="Dallas"; Targets: 10.2.0.2/24). Create scan Jobs and associate them to the Target Group, to organize scan jobs in a more logical, hierarchical manner. Once hosts have been discovered and collected in the asset repository, they can then be tracked and managed as Assets by logical Asset Tags.

Trust Model for Security Automation Data (TMSAD)

The SCAP Trust Model for Security Automation Data (TMSAD) is a specification for using digital signatures in a common trust model applied to other security automation specifications. The SCAP specification prescribes the standardized data model for establishing trust for security automation data.  

 

SAINT products support the TMSAD specification, version 1.0, by verifying the XML signature to ensure the content has not been modified. If a signature is not valid, the scanning engine aborts the scan and generates an error to notify the user of the failed scan.

USGCB

SAINT Corporation asserts that the SAINT Security Suite and cloud-hosted SAINTCloud products are fully functional and operate correctly as intended on systems using the U.S. Government Configuration Benchmark (USGCB). Target settings applicable to performing USGCB assessments are defined in the SCAP section. To run a scan, the targets must meet only the requirements for running a normal authenticated scan. Targets can be scanned for USGCB compliance by importing the desired USGCB SCAP Data Stream, containing XCCDF and OVAL document formats, and selecting it when choosing a scan policy to run. USGCB scans make use of CCE to simply tracking of configuration issues found during a scan. SAINT products produce multiple reports in both the required formats for SCAP and some non-required formats for data analysis. The reports are viewable in the SCAP Data section of the GUI and can also be bundled and downloaded to support external requirements such as content backups, compliance reporting or importing into other applications.

XCCDF

XCCDF (Extensible Common Configuration Data Format) is a specification language for writing security checklists, benchmarks and related types of documents defined by NIST. SAINT products provide the capability to import, validate, view, execute policy scans, and report on benchmarks in XCCDF format, version 1.2. SAINT products provide two methods of collection: 1) Select a supported policy to validate and Import or Update content; and 2) Use the SCAP Upload Benchmark option in the Benchmark Scanning data grid to manually import definitions for validation and execution by SAINT’s scanning engine. This capability includes support for importing SCAP Expressed Data-Streams in .zip and .xml formats.

  

SAINT products also provide a Policy Editor for those users that wish to use an existing XCCDF-based policy as a template to edit and save a custom policy to support local requirements. This editor allows users to view such information as the detailed descriptions of each group and rule contained in a policy; and to enable and disable checks (rules), and modify values associated with certain rules.

 

XCCDF-based scan results can be viewed or downloaded in a number of compliance formats: XCCDF Results document; XCCDF Human readable results document; OVAL system characteristics for each target; and OVAL Results documents that resulted from the XCCDF scan.