Name of Your Organization:

nCircle Network Security, Inc.

Web Site:

http://www.ncircle.com

Compatible Capability:

IP360 Vulnerability Management System

Capability home page:

http://www.ncircle.com/products/index.html
General Capability Questions

1) Product Accessibility <CR_2.4>

Provide a short description of how and where your capability is made available to your customers and the public (required):

nCircle provides the IP360 Vulnerability Management system to customers through direct sales and resellers.

Once operational, IP360 displays CVE and CAN numbers for applicable vulnerabilities as part of their description. This information appears within reports, as well as within a separate search functionality. Users can search the vulnerability database by CVE and CAN number.

Additionally, if configured, IP360 includes CVE IDs in the XML output from the VnE Manager.

Mapping Questions

4) Map Currency Indication <CR_5.1>

Describe how and where your capability indicates the most recent CVE version used to create or update its mappings (required):

Release notes are shipped to customers with each update of the vulnerability rules. The release notes include the most recent CVE version that was used for data import and mapping.

5) Map Currency Update Approach <CR_5.2>

Indicate how often you plan on updating the mappings to reflect new CVE versions and describe your approach to keeping reasonably current with CVE versions when mapping them to your repository (recommended):

nCircle includes applicable CVE and CAN numbers with each vulnerability condition added to the product. The existing CANs are audited for promotion on a weekly basis. Additionally, audits of individual conditions are performed as part of the Quality Assurance process each time an update is released.

6) Map Currency Update Time <CR_5.3>

Describe how and where you explain to your customers the timeframe they should expect an update of your capability's mappings to reflect a newly released CVE version (recommended):

As all relevant data is included with the initial addition of a vulnerability condition to the system, the CVE mappings are updated as such. Explanation of the update process is included in the Online Help system, as well as the system documentation available for download from IP360's interface.

Documentation Questions

7) CVE and Compatibility Documentation<CR_4.1>

Provide a copy, or directions to its location, of where your documentation describes CVE and CVE compatibility for your customers (required):

The Glossaries of the IP360 Basics Guide, IP360 Administrator Guide, and the online help system contains this text:

CVE
Common Vulnerabilities and Exposures. "A list of standardized names for vulnerabilities and other information security exposures." (Taken from the CVE website: www.cve.mitre.org. The website has a description for each CVE number listed in this help documentation.)

CVE Compatibility
nCircle is applying for CVE compatibility. The CVE Compatibility Process involves two phases. The first, called the Declaration Phase, consists of registering an organization's declaration of intent to make their product(s) and/or service(s) CVE-compatible. An organization must complete phase 1 before starting phase 2. The second phase, called the Evaluation Phase, requires the completion of a questionnaire that specifically looks for the details of how the organization has satisfied the "Requirements and Recommendations for CVE Compatibility."

(Taken from the CVE website: https://cve.mitre.org/compatible/process.html)

8) Documentation of Finding Elements Using CVE Names <CR_4.2>

Provide a copy, or directions to its location, of where your documentation describes the specific details of how your customers can use CVE names to find the individual security elements within your capability's repository (required):

The IP360 Administrator Guide Chapter 8 "Advanced Security Profiling Language" and the online help section of the same name contain this text (CVE ID as a search criterion is listed in the table):

Searching for Advanced Security Profiling Language Conditions

Users can search for all rules within the standard and custom ASPL rule sets.

Note: If a vulnerability or attack (unbound or bound) condition is not or nor longer used by IP360, the condition's description will still be displayed, but not its former component rules. Unused conditions are kept for reference purposes.

To search for vulnerability and attack conditions:

  1. Under Analyze: ASPL > Vulnerabilities, select one or more of the following criteria. Check Advanced Search to access these criteria. Select zero or more items from each criterion list.

Search Criterion Description
Search Phrase Keywords to search for in the names and descriptions of vulnerability and attack conditions
Risk Level Risk levels that classify vulnerabilities and their related attacks by the type and ease of access that attackers gain
Strategy Level Applies to nCircle rules only. nCircle assigns a Strategy to each nCircle vulnerability condition.
Applications Applications to which the vulnerabilities and attacks are bound in the rule definition
CV E ID Text field for a specific vulnerability's CVE ID. Use of the format YYYY-NNNN will yield both CVEs and CANs.
BugTraq ID Text field for a specific vulnerability's BugTraq ID (partial values not allowed)
SANS Top 20 Category Text field for a specific SANS Top 20 category (the results will include nCircle vulnerability conditions that cover vulnerabilities in that category)
Vulnerability/Attack Type Determines whether to show ASPL conditions that are part of the standard "nCircle" ASPL set or that are Administrator-created "custom" conditions
Score Vulnerability conditions must have a score greater than or less than this value.
Rule Type Determines whether to show ASPL conditions that contain intrusive rules or non-intrusive rules. Because a condition can contain multiple rules, only one rule has to be "intrusive" or "non-intrusive" for the condition to be in the results.
Auth Attempt Determines whether to show ASPL conditions that have at least one rule that has been marked Auth Attempt or not. If "No Auth Attempted" is selected, only those vulnerability conditions that contain no "Auth Attempt" rules will be returned.

  1. Click Submit.
    All vulnerability conditions (and related attack conditions) that match the criteria are displayed below.
  2. Click a vulnerability or attack condition to view its details.
    Details about the vulnerability or attack condition, including the component ASPL rules and related attack and vulnerability conditions, are displayed. A vulnerability's CAN or CVE ID is displayed under "Advisory Publisher Entries."

 

Sample search and results for a vulnerability and attack condition search
<middle of screen deleted>
Description of the vulnerability condition selected in the search results

9) Documentation of Finding CVE Names Using Elements <CR_4.3>

Provide a copy, or directions to its location, of where your documentation describes the process a user would follow to find the CVE names associated with individual security elements within your capability's repository (required):

See documentation displayed under #8 (Where a user can find the CAN/CVE ID of a specific vulnerability is described in step #3).

10) Documentation Indexing of CVE-Related Material <CR_4.4>

If your documentation includes an index, provide a copy of the items and resources that you have listed under "CVE" in your index. Alternately, provide directions to where these "CVE" items are posted on your web site (recommended):

The indexes of the IP360 Basics Guide, the IP360 Administrator Guide, and the onli5 help system contain this text:

CVE   153
  CANs vs. CVEs 154
  Converting CANs to CVEs 154
  find a vulnerability by CVE ID 112
  find the ID for a vulnerability 112
  IP360-CVE compatibility 153
  Updating ASPL rules 154
Candidate Support Questions

11) Candidates Versus Entries Indication <CR_6.1>

If CVE candidates are supported or used, explain how you indicate that candidates are not accepted CVE entries (required):

CVE Candidates are displayed with the CAN preface, as opposed to the CVE preface.

12) Candidates Versus Entries Explanation <CR_6.2>

If CVE candidates are supported or used, explain where and how the difference between candidates and entries is explained to your customers (recommended):

The difference between CANs and CVEs is explained within the documentation. The Glossaries of the IP360 Basics Guide, the IP360 Administrator Guide, and the online help system contain this text:

CVE

Common Vulnerabilities and Exposures. "A list of standardized names for vulnerabilities and other information security exposures." (Taken from the CVE website: www.cve.mitre.org. The website has a description for each CVE number listed in this help documentation.)

Candidates Vs. Official Entries

CVE candidates are those vulnerabilities or exposures under consideration for acceptance into CVE. Candidates are assigned special numbers that distinguish them from CVE entries. However, these numbers become CVE entries if the candidate is accepted into CVE. For example, a candidate number might be CAN-1999-0067, while its eventual CVE number would be CVE-1999-0067. Also, the assignment of a candidate number is not a guarantee that it will become an official CVE entry. (Taken from the CVE website: https://cve.mitre.org/cve/search_tips.html#candidates)

13) Candidate to Entry Promotion <CR_6.3>

If CVE candidates are supported or used, explain your policy for changing candidates into entries within your capability and describe where and how this is communicated to your customers (recommended):

nCircle audits the existing CANs within the system for promotion on a weekly basis. If any CANs are found to have been promoted, their designation is changed to CVE.

The Glossaries of the IP360 Basics Guide, the IP360 Administrator Guide, and the online help system contain this text:

CVE

Common Vulnerabilities and Exposures. "A list of standardized names for vulnerabilities and other information security exposures." (Taken from the CVE website: https://cve.mitre.org. The website has a description for each CVE number listed in this help documentation.)

Converting CANs to CVEs

The existing CANs are reviewed on a weekly basis for promotion to CVEs. If a CAN has been promoted, the IP360 database is updated to reflect its change in status.

Updating nCircle Standard Rule Set

nCircle obtains data about emerging vulnerabilities from various industry sources. This data is normalized and prioritized prior to being researched by the ASPL team. The research of each vulnerability condition includes confirmation of relevant resources (CVE, bugtraq, MS Advisories), in addition to the creation of rules to check for the condition. nCircle's ASPL team focuses primarily on un-authenticated remote checks for conditions.

14) Candidate and Entry Search Support <CR_6.4>

If CVE candidates are supported or used, explain where and how a customer can find the explanation of your search function's ability to look for candidates and entries by using just the YYYY-NNNN portion of the CVE names (recommended):

The IP360 Administrator Guide Chapter 8 "Advanced Security Profiling Language" and the online help section of the same name contain the relevant text. This text is quoted in full in answer to <CR_4.2>.

15) Search Support for Promoted Candidates <CR_6.5>

If CVE candidates are supported or used, explain where and how a customer can find the explanation of your search function's support for retrieving the CVE entry for a candidate that is no longer a candidate (recommended):

All searches for CVEs and CANs can be performed based on the YYYY-NNNN format. The search functionality will return valid results for either CANs or CVEs. The IP360 Administrator Guide Chapter 8 "Advanced Security Profiling Language" and the online help section of the same name contain the relevant text. This text is quoted in full in answer to <CR_4.2>.

16) Candidate Mapping Currency Indication <CR_6.6>

If CVE candidates are supported or used, explain where and how you tell your users how up-to-date your candidate information is (recommended):

nCircle audits the existing CANs within the system for promotion on a weekly basis. If any CANs are found to be promoted, their designation is changed to CVE.

The Glossaries of the IP360 Basics Guide, the IP360 Administrator Guide, and the online help system contain this text:

Converting CANs to CVEs

The existing CANs are reviewed on a weekly basis for promotion to CVEs. If a CAN has been promoted, the IP360 database is updated to reflect its change in status.

Type-Specific Capability Questions

Tool Questions

17) Finding Tasks Using CVE Names <CR_A.2.1>

Give detailed examples and explanations of how a user can locate tasks in the tool by looking for their associated CVE name (required):

To find a vulnerability by CVE ID, a user navigates to the "Analyze" section of the interface, then selects ASPL->Vulnerabilities from the menu. By checking the 'advanced options' box, the user is able to enter the YYYY-NNNN portion of the CVE or CAN. The search will return full details for any vulnerability associated with that CVE or CAN.

Additionally, if a user chooses to search for vulnerabilities by name, the CVE or CAN associated with the results is displayed within the details for each condition. This display also provides a link the cve.mitre.org and the content associated with this CVE or CAN.

18) Finding CVE Names Using Elements in Reports <CR_A.2.2>

Give detailed examples and explanations of how, for reports that identify individual security elements, the tool allows the user to determine the associated CVE names for the individual security elements in the report (required):

As with the search by CVE functionality above, a user can search for a condition by name or other text, as well as other attributes. The result will contain the associated CVE or CAN as applicable.

Additionally, within the reported results for a scan, the associated CVE is displayed with each condition. The display within the report provides the same data as the results from a search.

19) Getting a List of CVE Names Associated with Tasks <CR_A.2.4>

Give detailed examples and explanations of how a user can obtain a listing of all of the CVE names that are associated with the tool's tasks (recommended):

IP360 performs periodic backups of the database, which can be configured for delivery to a remote host. A customer would need to restore this database and extract the list of CVEs from that data.

A request to nCircle would be a more efficient means of obtaining this information.

22) Non-Support Notification for a Requested CVE Name <CR_A.2.7>

Provide a description of how the tool notifies the user that task associated to a selected CVE name cannot be performed (recommended):

If a CVE or CAN is not included within the IP360 system, the search functionality will return a "No vulnerabilities found" message to the user.
Media Questions

31) Electronic Document Format Info <CR_B.3.1>

Provide details about the different electronic document formats that you provide and describe how they can be searched for specific CVE-related text (required):

IP360 provides data export in three formats, as well as the browsable HTML interface to the product itself: PDF, CSV, and XML. CSV and XML, as pure text formats are inherently searchable. These formats are available as part of the IP360 automated export functionality. Each individual report can be exported to PDF, which is searchable with most PDF readers.

32) Electronic Document Listing of CVE Names <CR_B.3.2>

If one of the capability's standard electronic documents only lists security elements by their short names or titles provide example documents that demonstrate how the associated CVE names are listed for each individual security element (required):

Within IP360's reports, CVE IDs for individual conditions can be found by 'drilling down' on the conditions. A user simply clicks on the condition's name and is presented with a details screen containing the individual CVE ID(s) associated with that condition.

Additionally, although it is possible to generate an electronic document (PDF) that contains only the short names for conditions, it must be specifically requested as such. The full pdf/xml/csv export contains the full details for each condition.

33) Electronic Document Element to CVE Name Mapping <CR_B.3.3>

Provide example documents that demonstrate the mapping from the capability's individual elements to the respective CVE name(s) (recommended):

As an example, within the XML export, the CVE ID is listed thus:
...
<risk>Remote Access</risk>
<skill>Windows Binary</skill>
<strategy>Network Reconnaissance</strategy>
</vuln>
<vuln id="286">
<vname>Identd available</vname>
<vscore>13</vscore>
<appmap type="ip360_app">144</appmap>
<advisories>
<cve>CAN-1999-0629</cve>
</advisories>
...
Graphical User Interface (GUI)

34) Finding Elements Using CVE Names Through the GUI <CR_B.4.1>

Give detailed examples and explanations of how the GUI provides a "find" or "search" function for the user to identify your capability's elements by looking for their associated CVE name(s) (required):

Searching for Advanced Security Profiling Language Conditions

Users can search for all rules within the standard and custom ASPL rule sets.

Note: If a vulnerability or attack (unbound or bound) condition is not or nor longer used by IP360, the condition's description will still be displayed, but not its former component rules. Unused conditions are kept for reference purposes.

To search for vulnerability and attack conditions:

  1. Under Analyze: ASPL > Vulnerabilities, select one or more of the following criteria. Check Advanced Search to access these criteria. Select zero or more items from each criterion list.

Search Criterion Description
Search Phrase Keywords to search for in the names and descriptions of vulnerability and attack conditions
Risk Level Risk levels that classify vulnerabilities and their related attacks by the type and ease of access that attackers gain
Strategy Level Applies to nCircle rules only. nCircle assigns a Strategy to each nCircle vulnerability condition.
Applications Applications to which the vulnerabilities and attacks are bound in the rule definition
CV E ID Text field for a specific vulnerability's CVE ID. Use of the format YYYY-NNNN will yield both CVEs and CANs.
BugTraq ID Text field for a specific vulnerability's BugTraq ID (partial values not allowed)
SANS Top 20 Category Text field for a specific SANS Top 20 category (the results will include nCircle vulnerability conditions that cover vulnerabilities in that category)
Vulnerability/Attack Type Determines whether to show ASPL conditions that are part of the standard "nCircle" ASPL set or that are Administrator-created "custom" conditions
Score Vulnerability conditions must have a score greater than or less than this value.
Rule Type Determines whether to show ASPL conditions that contain intrusive rules or non-intrusive rules. Because a condition can contain multiple rules, only one rule has to be "intrusive" or "non-intrusive" for the condition to be in the results.
Auth Attempt Determines whether to show ASPL conditions that have at least one rule that has been marked Auth Attempt or not. If "No Auth Attempted" is selected, only those vulnerability conditions that contain no "Auth Attempt" rules will be returned.

  1. Click Submit.
    All vulnerability conditions (and related attack conditions) that match the criteria are displayed below.
  2. Click a vulnerability or attack condition to view its details.
    Details about the vulnerability or attack condition, including the component ASPL rules and related attack and vulnerability conditions, are displayed. A vulnerability's CAN or CVE ID is displayed under "Advisory Publisher Entries."

 

Sample search and results for a vulnerability and attack condition search
<middle of screen deleted>
Description of the vulnerability condition selected in the search results

35) GUI Element to CVE Name Mapping <CR_B.4.2>

Briefly describe how the associated CVE names are listed for the individual security elements or discuss how the user can use the mapping between CVE entries and the capability's elements, also describe the format of the mapping (required):

The associated CVEs are listed in the details of each element as displayed in the IP360 interface. The CVE IDs are hyperlinks to the associated content on https://cve.mitre.org. Users can select these links to validate or gain further information about the condition.

36) GUI Export Electronic Document Format Info <CR_B.4.3>

Provide details about the different electronic document formats that you provide for exporting or accessing CVE-related data and describe how they can be searched for specific CVE-related text (recommended):

IP360 provides export in either XML or CSV formats. Both formats contain the associated CVE IDs for each element. As they are text based formats, they are inherently searchable.
Questions for Signature

37) Statement of Compatibility <CR_2.7>

Have an authorized individual sign and date the following Compatibility Statement (required):

"As an authorized representative of my organization I agree that we will abide by all of the mandatory CVE Compatibility Requirements as well as all of the additional mandatory CVE Compatibility Requirements that are appropriate for our specific type of capability."

Name: Timothy D. Keanini

Title: CTO

38) Statement of Accuracy <CR_3.4>

Have an authorized individual sign and date the following accuracy Statement (recommended):

"As an authorized representative of my organization and to the best of my knowledge, there are no errors in the mapping between our capability's Repository and the CVE entries our capability identifies."

Name: Timothy D. Keanini

Title: CTO

39) Statement on False-Positives and False-Negatives <CR_A.2.8 and/or CR_A.3.5>

FOR TOOLS ONLY - Have an authorized individual sign and date the following statement about your tools efficiency in identification of security elements (required):

"As an authorized representative of my organization and to the best of my knowledge, normally when our capability reports a specific security element, it is generally correct and normally when an event occurs that is related to a specific security element our capability generally reports it."

Name: Timothy D. Keanini

Title: CTO

Page Last Updated or Reviewed: September 08, 2017