One document matched: draft-ietf-sacm-terminology-02.xml
<?xml version="1.0" encoding="US-ASCII"?>
<!-- This template is for creating an Internet Draft using xml2rfc,
which is available here: http://xml.resource.org. -->
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!-- One method to get references from the online citation libraries.
There has to be one entity for each item to be referenced.
An alternate method (rfc include) is described in the references. -->
<!ENTITY RFC1213 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.1213.xml">
<!ENTITY RFC2119 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml">
<!ENTITY RFC0826 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.0826.xml">
<!ENTITY RFC2790 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2790.xml">
<!ENTITY RFC2863 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2863.xml">
<!ENTITY RFC2865 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2865.xml">
<!ENTITY RFC2922 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2922.xml">
<!ENTITY RFC3535 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3535.xml">
<!ENTITY RFC3552 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3552.xml">
<!ENTITY RFC4949 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4949.xml">
<!ENTITY RFC5209 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5209.xml">
<!ENTITY RFC5226 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5226.xml">
<!ENTITY RFC5424 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5424.xml">
<!ENTITY RFC5792 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5792.xml">
<!ENTITY RFC5793 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5793.xml">
<!ENTITY RFC6733 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6733.xml">
<!ENTITY RFC6933 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6933.xml">
<!ENTITY I-D.draft-ietf-nea-pt-eap-06 SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.draft-ietf-nea-pt-eap-06.xml">
<!ENTITY I-D.draft-ietf-nea-pt-tls-08 SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.draft-ietf-nea-pt-tls-08.xml">
<!ENTITY I-D.draft-ietf-netmod-interfaces-cfg-12 SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.draft-ietf-netmod-interfaces-cfg-12.xml">
<!ENTITY I-D.draft-ietf-netmod-system-mgmt-08 SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.draft-ietf-netmod-system-mgmt-08.xml">
<!ENTITY I-D.draft-ietf-savi-framework-06 SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.draft-ietf-savi-framework-06.xml">
]>
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<!-- used by XSLT processors -->
<!-- For a complete list and description of processing instructions (PIs),
please see http://xml.resource.org/authoring/README.html. -->
<!-- Below are generally applicable Processing Instructions (PIs) that most I-Ds might want to use.
(Here they are set differently than their defaults in xml2rfc v1.32) -->
<?rfc strict="yes" ?>
<!-- give errors regarding ID-nits and DTD validation -->
<!-- control the table of contents (ToC) -->
<?rfc toc="yes"?>
<!-- generate a ToC -->
<?rfc tocdepth="4"?>
<!-- the number of levels of subsections in ToC. default: 3 -->
<!-- control references -->
<?rfc symrefs="yes"?>
<!-- use symbolic references tags, i.e, [RFC2119] instead of [1] -->
<?rfc sortrefs="yes" ?>
<!-- sort the reference entries alphabetically -->
<!-- control vertical white space
(using these PIs as follows is recommended by the RFC Editor) -->
<?rfc compact="yes" ?>
<!-- do not start each main section on a new page -->
<?rfc subcompact="no" ?>
<!-- keep one blank line between list items -->
<!-- end of list of popular I-D processing instructions -->
<rfc category="info" docName="draft-ietf-sacm-terminology-02" ipr=" trust200902">
<!-- category values: std, bcp, info, exp, and historic
ipr values: full3667, noModification3667, noDerivatives3667
you can add the attributes updates="NNNN" and obsoletes="NNNN"
they will automatically be output with "(if approved)" -->
<!-- ***** FRONT MATTER ***** -->
<front>
<!-- The abbreviated title is used in the page header - it is only necessary if the
full title is longer than 39 characters -->
<title abbrev="Terminology for Security Assessment">Terminology for Security Assessment</title>
<author fullname="David Waltermire" initials="D.W."
surname="Waltermire">
<organization abbrev="NIST">National Institute of Standards and Technology</organization>
<address>
<postal>
<street>100 Bureau Drive</street>
<city>Gaithersburg</city>
<region>Maryland</region>
<code>20877</code>
<country>USA</country>
</postal>
<phone></phone>
<email>david.waltermire@nist.gov</email>
</address>
</author>
<author fullname="Adam W. Montville" initials="A.W.M."
surname="Montville">
<organization abbrev="CIS">Center for Internet Security</organization>
<address>
<postal>
<street>31 Tech Valley Drive</street>
<city>East Greenbush</city>
<region>New York</region>
<code>12061</code>
<country>USA</country>
</postal>
<phone></phone>
<email>adam.montville@cisecurity.org</email>
</address>
</author>
<author fullname="David Harrington" initials="D.B.H"
surname="Harrington">
<organization>Effective Software</organization>
<address>
<postal>
<street>50 Harding Rd</street>
<city>Portsmouth</city>
<region>NH</region>
<code>03801</code>
<country>USA</country>
</postal>
<phone></phone>
<email>ietfdbh@comcast.net</email>
</address>
</author>
<date year="2014" />
<!-- Meta-data Declarations -->
<area>Security</area>
<workgroup>Security Automation and Continuous Monitoring WG</workgroup>
<!-- WG name at the upperleft corner of the doc,
IETF is fine for individual submissions.
If this element is not present, the default is "Network Working Group",
which is used by the RFC Editor as a nod to the history of the IETF. -->
<keyword>security automation continuous monitoring sacm terminology</keyword>
<!-- Keywords will be incorporated into HTML output
files in a meta tag but they have no effect on text or nroff
output. If you submit your draft to the RFC Editor, the
keywords will be used for the search engine. -->
<abstract>
<t>This memo documents terminology used in the documents produced by the SACM WG (Security Automation and Continuous Monitoring).</t>
</abstract>
</front>
<middle>
<section title="Introduction">
<t>Our goal with this document is to
improve our agreement on the terminology used in documents produced
by the IETF Working Group for Security Automation and Continuous Monitoring.
Agreeing on terminology should help reach consensus on which problems we're trying to solve,
and propose solutions and decide
which ones to use.</t>
<t>This document is expected to be temorary work product, and will probably
be incorporated into the architecture or other document.</t>
</section>
<section anchor="sec-terms" title="Terms and Definitions">
<section anchor="doc-extracted-terms" title="Terms Extracted from UC -05 Draft">
<t>The following terms were extracted from: http://tools.ietf.org/html/draft-ietf-sacm-use-cases-05</t>
<t>acquisition method</t>
<t>actor</t>
<t>actual endpoint state</t>
<t>ad hoc collection task</t>
<t>ad hoc evaluation task</t>
<t>applicable data collection content</t>
<t>application</t>
<t>appropriate actor</t>
<t>appropriate application</t>
<t>appropriate operator</t>
<t>approved configuration</t>
<t>approved endpoint configuration</t>
<t>approved hardware list</t>
<t>approved software list</t>
<t>artifact</t>
<t>artifact age</t>
<t>assessment criteria</t>
<t>assessment cycle</t>
<t>assessment planning</t>
<t>assessment subset</t>
<t>assessment trigger</t>
<t>asset characteristics</t>
<t>asset management</t>
<t>asset management data</t>
<t>asset management system</t>
<t>asynchronous compliance assessment</t>
<t>asynchronous vulnerability assessment</t>
<t>attack condition</t>
<t>attribute</t>
<t>automatable configuration guide</t>
<t>automatable configuration guide definition</t>
<t>automatable configuration guide publication</t>
<t>automated checklist verification</t>
<t>automated endpoint compliance monitoring</t>
<t>baseline</t>
<t>baseline compliance</t>
<t>building block</t>
<t>business logic</t>
<t>candidate endpoint target</t>
<t>capability</t>
<t>change detection</t>
<t>change event</t>
<t>change event monitoring</t>
<t>change filter</t>
<t>change management</t>
<t>change management program</t>
<t>checklist</t>
<t>checklist identification</t>
<t>checklist verification</t>
<t>client endpoint</t>
<t>collected posture attribute value</t>
<t>collection content acquisition</t>
<t>collection process</t>
<t>collection request</t>
<t>collection task</t>
<t>complete assessment cycle</t>
<t>compliance</t>
<t>compliance level</t>
<t>compliance monitoring</t>
<t>computing platform endpoint</t>
<t>configuration baseline</t>
<t>configuration data</t>
<t>configuration item</t>
<t>configuration item change</t>
<t>configuration management</t>
<t>content</t>
<t>content change detection</t>
<t>content data store</t>
<t>content definition</t>
<t>content instance</t>
<t>content publication</t>
<t>content query</t>
<t>content repository</t>
<t>content retrieval</t>
<t>criteria</t>
<t>critical vulnerability</t>
<t>current sign of malware infection</t>
<t>data analysis</t>
<t>data collection</t>
<t>data collection content</t>
<t>data collection path</t>
<t>data store query</t>
<t>database mining</t>
<t>define content</t>
<t>desired state</t>
<t>desired state identification</t>
<t>detection timeliness</t>
<t>deviation notification</t>
<t>discovery</t>
<t>endpoint</t>
<t>endpoint attribute</t>
<t>endpoint compliance monitoring</t>
<t>endpoint component inventory</t>
<t>endpoint discovery</t>
<t>endpoint event</t>
<t>endpoint identification</t>
<t>endpoint information analysis and reporting</t>
<t>endpoint metadata</t>
<t>endpoint posture</t>
<t>endpoint posture assessment</t>
<t>endpoint posture attribute</t>
<t>endpoint posture attribute value</t>
<t>endpoint posture attribute value collection</t>
<t>endpoint posture change monitoring</t>
<t>endpoint posture compliance</t>
<t>endpoint posture deviation</t>
<t>endpoint posture deviation detection</t>
<t>endpoint posture monitoring</t>
<t>endpoint state</t>
<t>endpoint target</t>
<t>endpoint target identification</t>
<t>endpoint type</t>
<t>enterprise</t>
<t>enterprise function</t>
<t>enterprise function definition</t>
<t>enterprise policy</t>
<t>enterprise standards</t>
<t>evaluating data</t>
<t>evaluation content acquisition</t>
<t>evaluation task</t>
<t>evaulation result</t>
<t>event-driven notification</t>
<t>expected function</t>
<t>expected state</t>
<t>expected state criteria</t>
<t>function</t>
<t>functional capability</t>
<t>immediate detection</t>
<t>indicator of compromise</t>
<t>industry group</t>
<t>information expression</t>
<t>information model</t>
<t>malicious activity</t>
<t>malicious configuration item</t>
<t>malicious hardware</t>
<t>malicious software</t>
<t>malware infection</t>
<t>manual endpoint compliance monitoring</t>
<t>mobile endpoint</t>
<t>monitoring</t>
<t>network access control</t>
<t>network access control decision</t>
<t>network event</t>
<t>network infrastructure endpoint</t>
<t>network location</t>
<t>network-connection-driven data collection</t>
<t>new vulnerability</t>
<t>on-demand detection</t>
<t>ongoing change-event monitoring</t>
<t>ongoing-event-driven endpoint-posture-change monitoring</t>
<t>ongoing-event-driven monitoring</t>
<t>operational data</t>
<t>operations</t>
<t>organizational policy</t>
<t>organizational policy compliance</t>
<t>organizational security posture</t>
<t>patch</t>
<t>patch change</t>
<t>patch management</t>
<t>performance condition</t>
<t>periodic collection request</t>
<t>periodic data collection</t>
<t>policy</t>
<t>posture aspect</t>
<t>posture aspect change</t>
<t>posture attribute</t>
<t>posture attribute evaluation</t>
<t>posture attribute identification</t>
<t>posture attribute value</t>
<t>posture attribute value collection</t>
<t>posture attribute value query</t>
<t>posture change</t>
<t>posture deviation</t>
<t>posture deviation detection</t>
<t>posture evaluation</t>
<t>previously collected information</t>
<t>previously collected posture attribute value</t>
<t>previously collected posture attribute value analysis</t>
<t>process</t>
<t>public content repository</t>
<t>publication metadata</t>
<t>publication operations</t>
<t>publish content</t>
<t>query</t>
<t>regulatory authority</t>
<t>repository</t>
<t>repository content identification</t>
<t>repository content retrieval</t>
<t>result</t>
<t>result set</t>
<t>retrieve content</t>
<t>risk</t>
<t>risk management</t>
<t>risk management program</t>
<t>scheduled task</t>
<t>search criteria</t>
<t>secure configuration baseline</t>
<t>security administrator</t>
<t>security automation</t>
<t>security posture</t>
<t>security process</t>
<t>server endpoint</t>
<t>significant endpoint event</t>
<t>significant event</t>
<t>signs of infection</t>
<t>state criteria</t>
<t>supporting content</t>
<t>target</t>
<t>target endpoint</t>
<t>task</t>
<t>trigger</t>
<t>unauthorized configuration item</t>
<t>unauthorized hardware</t>
<t>unauthorized software</t>
<t>vulnerability</t>
<t>vulnerability artifact</t>
<t>vulnerability artifact age</t>
<t>vulnerability condition</t>
<t>vulnerability exposure</t>
<t>vulnerability management</t>
<t>vulnerability mitigation</t>
<t>vulnerability remediation</t>
<t>whole assessment</t>
<t>workflow trigger</t>
</section>
<section anchor="existing-terms" title="Terms from -01 Terminology Draft">
<t>assessment
<list>
<t>Defined in <xref target="RFC5209"/> as "the process of collecting posture for a set of capabilities on the endpoint (e.g., host-based firewall) such that the appropriate validators may evaluate the posture against compliance policy."</t>
<t>Within this document the use of the term is expanded to support other uses of collected posture (e.g. reporting, network enforcement, vulnerability detection, license management). The phrase "set of capabilities on the endpoint" includes: hardware and software installed on the endpoint."</t>
</list>
</t>
<t>asset
<list>
<t>Defined in <xref target="RFC4949"/> as "a system resource that is (a) required to be protected by an information system's security policy, (b) intended to be protected by a countermeasure, or (c) required for a system's mission.</t>
</list>
</t>
<t>asset characterization
<list>
<t>Asset characterization is the process of defining attributes that describe properties of an identified asset.</t>
</list>
</t>
<t>asset targeting
<list>
<t>Asset targeting is the use of asset identification and categorization information
to drive human-directed, automated decision making for data collection and analysis in
support of endpoint posture assessment.</t>
</list>
</t>
<t>attribute
<list>
<t>Defined in <xref target="RFC5209"/> as "data element including any requisite meta-data describing an observed, expected, or the operational status of an endpoint feature (e.g., anti-virus software is currently in use)."</t>
</list>
</t>
<t>endpoint
<list>
<t>Defined in <xref target="RFC5209"/> as "any computing device that can be connected to a network. Such devices normally are associated with a particular link layer address before joining the network and potentially an IP address once on the network. This includes: laptops, desktops, servers, cell phones, or any device that may have an IP address."</t>
<t>Network infrastructure devices (e.g. switches, routers, firewalls), which fit the definition, are also considered to be endpoints within this document.</t>
<t>Based on the previous definition of an asset, an endpoint is a type of asset.</t>
</list>
</t>
<t>Exposure
<list>
<t>An endpoint misconfiguration or software flaw that allows access to information or capabilities that can be used by an attacker as a means to compromise an endpoint or network. (derived from CVE exposure definition)</t>
<t>From RFC4949:
(I) A type of threat action whereby sensitive data is directly
released to an unauthorized entity. (See: unauthorized
disclosure.)
Usage: This type of threat action includes the following subtypes:
- "Deliberate Exposure": Intentional release of sensitive data to
an unauthorized entity.
- "Scavenging": Searching through data residue in a system to
gain unauthorized knowledge of sensitive data.
- "Human error": /exposure/ Human action or inaction that
unintentionally results in an entity gaining unauthorized
knowledge of sensitive data. (Compare: corruption,
incapacitation.)
- "Hardware or software error": /exposure/ System failure that
unintentionally results in an entity gaining unauthorized
knowledge of sensitive data. (Compare: corruption,
incapacitation.)
</t>
</list>
</t>
<t>Misconfiguration
<list>
<t>A misconfiguration is a configuration setting that violates organizational security policies, introduces a possible security weakness in a system, or permits or causes unintended behavior that may impact the security posture of a system. (from NIST IR 7670)
The misalignment of a unit of endpoint configuration posture relative to organizational expectations that is subject to exploitation or misuse.
</t>
</list>
</t>
<t>posture
<list>
<t>Defined in <xref target="RFC5209"/> as "configuration and/or status of hardware or software on an endpoint as it pertains to an organization's security policy."</t>
<t>This term is used within the scope of this document to represent the state information that is collected from an endpoint (e.g. software/hardware inventory, configuration settings).</t>
</list>
</t>
<t>posture attributes
<list>
<t>Defined in <xref target="RFC5209"/> as "attributes describing the configuration or status (posture) of a feature of the endpoint. For example, a Posture Attribute might describe the version of the operating system installed on the system."</t>
<t>Within this document this term represents a specific assertion about endpoint state (e.g. configuration setting, installed software, hardware). The phrase "features of the endpoint" refers to installed software or software components.</t>
</list>
</t>
<t>Remediation
<list>
<t>A remediation is defined as a security-related set of actions that results in a change to a computer's state and may consist of changes motivated by the need to enforce organizational security policies, address discovered vulnerabilities, or correct misconfigurations. (from NIST IR 7670)</t>
</list>
</t>
<t>software flaw
<list>
<t>A weakness in software that is subject to exploitation or misuse. A software flaw can be used by an attacker to gain access to a system or network, and/or materially affect the confidentiality, integrity or availability of information hosted by an endpoint or exchanged over a network. Such a flaw may allow an attacker to execute commands as another user, access data that is contrary to specified access controls, pose as another entity, or to conduct a denial of service. (derived from CVE vulnerability definition)</t>
</list>
</t>
<t>system resource
<list>
<t>Defined in <xref target="RFC4949"/> as "data contained in an information system; or a service provided by a system; or a system capacity, such as processing power or communication bandwidth; or an item of system equipment (i.e., hardware, firmware, software, or documentation); or a facility that houses system operations and equipment.</t>
</list>
</t>
<t>Vulnerability
<list>
<t>A vulnerability is a state of configuration or defect in a system which allows an unintended and unauthorized party to violate the security or policies of the system.</t>
<t>A weakness in an information system, system security procedures, internal controls, or implementation that is subject to exploitation or misuse. This includes flaws in software and processes, and misconfiguration of hardware or software. (derived from NIST definitions)
</t>
<t>From RFC4949:
(I) A flaw or weakness in a system's design, implementation, or
operation and management that could be exploited to violate the
system's security policy. (See: harden.)
Tutorial: A system can have three types of vulnerabilities: (a)
vulnerabilities in design or specification; (b) vulnerabilities in
implementation; and (c) vulnerabilities in operation and
management. Most systems have one or more vulnerabilities, but
this does not mean that the systems are too flawed to use. Not
every threat results in an attack, and not every attack succeeds.
Success depends on the degree of vulnerability, the strength of
attacks, and the effectiveness of any countermeasures in use. If
the attacks needed to exploit a vulnerability are very difficult
to carry out, then the vulnerability may be tolerable. If the
perceived benefit to an attacker is small, then even an easily
exploited vulnerability may be tolerable. However, if the attacks
are well understood and easily made, and if the vulnerable system
is employed by a wide range of users, then it is likely that there
will be enough motivation for someone to launch an attack.
</t>
</list>
</t>
<t>Vulnerability Management
<list>
<t>The process of mitigating the ability to exploit a vulnerability, via defect removal or protective measures such that exploitation becomes impossible or highly unlikely. (from Chris Inacio)
</t>
</list>
</t>
</section>
<!--
<t>
<list>
<t>Defined in <xref target="RFC"/> as </t>
</list>
</t>
-->
<section title="Requirements Language">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in <xref
target="RFC2119">RFC 2119</xref>.</t>
</section>
</section>
<section anchor="IANA" title="IANA Considerations">
<t>This memo includes no request to IANA.</t>
</section>
<section anchor="Security" title="Security Considerations">
<t>This memo documents terminology for security automation. While it is about security, it does not affect security.</t>
</section>
<section title="Acknowledgements">
<t></t>
</section>
<section title="Change Log">
<section title="ietf-sacm-terminology-01- to -02-">
<t>Added simple list of terms extracted from UC draft -05. It is expected that comments will be received
on this list of terms as to whether they should be kept in this document. Those that are kept will
be appropriately defined or cited.</t>
</section>
<section title="ietf-sacm-terminology-01- to -02-">
<t>Added Vulnerability, Vulnerability Management, xposure, Misconfiguration, and Software flaw.</t>
</section>
<section title="-00- draft">
<t><list style="symbols">
<t></t>
</list></t>
</section>
</section>
</middle>
<!-- *****BACK MATTER ***** -->
<back>
<!-- References split into informative and normative -->
<!-- There are 2 ways to insert reference entries from the citation libraries:
1. define an ENTITY at the top, and use "ampersand character"RFC2629; here (as shown)
2. simply use a PI "less than character"?rfc include="reference.RFC.2119.xml"?> here
(for I-Ds: include="reference.I-D.narten-iana-considerations-rfc2434bis.xml")
Both are cited textually in the same manner: by using xref elements.
If you use the PI option, xml2rfc will, by default, try to find included files in the same
directory as the including file. You can also define the XML_LIBRARY environment variable
with a value containing a set of directories to search. These can be either in the local
filing system or remote ones accessed by http (http://domain/dir/... ).-->
<references title="Normative References">
<!--?rfc include="http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml"?-->
&RFC2119;
</references>
<references title="Informative References">
<!-- Here we use entities that we defined at the beginning. -->
<!--
&RFC0826;
&RFC1213;
&RFC2790;
&RFC2863;
&RFC2865;
&RFC2922;
&RFC3535;
&RFC3552;
-->
&RFC4949;
&RFC5209;
<!--
&RFC5226;
&RFC5424;
&RFC5792;
&RFC5793;
&RFC6733;
&RFC6933;
&I-D.draft-ietf-nea-pt-eap-09;
&I-D.draft-ietf-nea-pt-tls-08;
&I-D.draft-ietf-netmod-interfaces-cfg-12;
&I-D.draft-ietf-netmod-system-mgmt-08;
&I-D.draft-ietf-savi-framework-06;
-->
</references>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-24 07:32:28 |