Name of Your Organization:

McAfee, Inc.

Web Site:

http://www.mcafeesecurity.com

Compatible Capability:

Hercules

Capability home page:

http://www.mcafee.com/us/enterprise/products/policy_audit/hercules_policy_auditor.html

1) Product Accessibility <CR_2.4>

Provide a short description of how and where your capability is made available to your customers and the public (required):

After customers have purchased Hercules, they are sent a CD with the appropriate license keys needed to get them started. If in the future the number of licensed devices is exceeded, the customer calls Citadel for additional device licenses.

4) Map Currency Indication <CR_5.1>

Describe how and where your capability indicates the most recent CVE version used to create or update its mappings (required):

The Hercules V-Flash service is an automated delivery mechanism that connects customers to the Citadel V-Flash server which houses the library of vulnerability remedies. Hercules customer sites are updated with new remediations electronically through this service. Notifications are included in the V-Flash notification messages indicating the CVE version and the date the CVE CANdidates were last updated.

5) Map Currency Update Approach <CR_5.2>

Indicate how often you plan on updating the mappings to reflect new CVE versions and describe your approach to keeping reasonably current with CVE versions when mapping them to your repository (recommended):

This is a daily on-going process. The Citadel Security Group has dedicated staff members focused on assuring the accuracy and integrity of the data used in Hercules. We have implemented an automated process that pulls down both the CAN and the CVE files each day. The new information is merged into our database each time the process runs. New and updated CANs and CVEs are reviewed to assure coverage and accuracy from a Hercules product perspective.

6) Map Currency Update Time <CR_5.3>

Describe how and where you explain to your customers the timeframe they should expect an update of your capability's mappings to reflect a newly released CVE version (recommended):

The Citadel Security Group monitors new vulnerabilities, updates and creates new remediations daily. As a part of that process, CVE information is added, reviewed and modified as appropriate. New and updated vulnerability remedies are sent to customers immediately. This includes updated CVE and CAN information. The Hercules User Guide documents our approach to CVE as well as the timeframes customers can expect to receive updates in.

7) CVE and Compatibility Documentation<CR_4.1>

Provide a copy, or directions to its location, of where your documentation describes CVE and CVE compatibility for your customers (required):

Section 5, Pages 5-2 through 5-4 of the Hercules User's Guide (included in the documentation with the product, the help files in the product, and available on the Citadel Security Software website https://hercules.citadel.com/howto.html) describe CVE, how to search for Vulnerabilities based on their CVE information, and how to find CVE information for Vulnerabilities in Hercules.

8) Documentation of Finding Elements Using CVE Names <CR_4.2>

Provide a copy, or directions to its location, of where your documentation describes the specific details of how your customers can use CVE names to find the individual security elements within your capability's repository (required):

Section 5, Pages 5-2 through 5-4 of the Hercules User's Guide (included in the documentation with the product, the help files in the product, and available on the Citadel Security Software website https://hercules.citadel.com/howto.html) describe CVE, how to search for Vulnerabilities based on their CVE information, and how to find CVE information for Vulnerabilities in Hercules.

9) Documentation of Finding CVE Names Using Elements <CR_4.3>

Provide a copy, or directions to its location, of where your documentation describes the process a user would follow to find the CVE names associated with individual security elements within your capability's repository (required):

Section 5, Pages 5-2 through 5-4 of the Hercules User's Guide (included in the documentation with the product, the help files in the product, and available on the Citadel Security Software website https://hercules.citadel.com/howto.html) describe CVE, how to search for Vulnerabilities based on their CVE information, and how to find CVE information for Vulnerabilities in Hercules.

11) Candidates Versus Entries Indication <CR_6.1>

If CVE candidates are supported or used, explain how you indicate that candidates are not accepted CVE entries (required):

The Hercules User's Guide (page 5-3) describes that CAN entries are candidate CVE entries that must be approved by the CVE Editorial Board prior to becoming office CVE entries. All CVE entries in Hercules are in the form of CVE-YYYY-NNNN for CVE entries and CAN-YYYY-NNNN for CVE Candidates.

12) Candidates Versus Entries Explanation <CR_6.2>

If CVE candidates are supported or used, explain where and how the difference between candidates and entries is explained to your customers (recommended):

The Hercules User's Guide (page 5-3) explains the difference between CAN and CVE entries.

13) Candidate to Entry Promotion <CR_6.3>

If CVE candidates are supported or used, explain your policy for changing candidates into entries within your capability and describe where and how this is communicated to your customers (recommended):

The Citadel Security Group has an automated process in place to assure the CAN and CVE information is consistently accurate. When a CAN is upgraded to an official CVE entry, any and all references to the previous CAN is updated to the new CVE entry. Customers are not specifically told of each individual promotion but the new information is available to them immediately. The V-Flash notification indicates the current CVE version information and the date of the last candidate information update.

14) Candidate and Entry Search Support <CR_6.4>

If CVE candidates are supported or used, explain where and how a customer can find the explanation of your search function's ability to look for candidates and entries by using just the YYYY-NNNN portion of the CVE names (recommended):

The Hercules CVE reference list includes CAN and CVE entries, so the product's search function can search for both CVE and CAN entries. The question of how a customer can use or products search to find vulnerability via CAN/CVE is addressed in the Hercules User's Guide (page 5-2 through 5-4) supplied with the product.

15) Search Support for Promoted Candidates <CR_6.5>

If CVE candidates are supported or used, explain where and how a customer can find the explanation of your search function's support for retrieving the CVE entry for a candidate that is no longer a candidate (recommended):

There is no indication that a CVE candidate has changed to an official CVE other than the "CAN" notation changes to "CVE."

16) Candidate Mapping Currency Indication <CR_6.6>

If CVE candidates are supported or used, explain where and how you tell your users how up-to-date your candidate information is (recommended):

Notifications are included in the V-Flash notification messages indicating the CVE version and the date the CVE CANdidates were last updated.

Type-Specific Capability Questions

17) Finding Tasks Using CVE Names <CR_A.2.1>

Give detailed examples and explanations of how a user can locate tasks in the tool by looking for their associated CVE name (required):

The tasks a user can perform in the tool by looking for their associated CVE name include searching for a particular vulnerability by CVE name and adding a remedy to a remedy group by searching on CVE name.

To search for a vulnerability by CVE name in Hercules, click the 'Search' icon at the top left of the Hercules Administrator console. This will open the 'Search for Hercules Assets' page. Enter the CVE information in the format of 'CVE-YYYY-NNNN', 'CAN-YYYY-NNNN', or just 'YYYY-NNNN'. This will list all of the Hercules Vulnerabilities associated to that CVE (see screen capture below). It is possible to have multiple Hercules Vulnerabilities for the same CVE since we integrate with multiple vulnerability scanners and they each correlate their data differently. For example, one scanner may recognize the Microsoft "LSASS Message Length Vulnerability" vulnerability currently identified by CVE Candidate CAN-2003-0533. Another scanner detects that Microsoft Patch MS04-011 is not installed on the machine. This covers nearly 14 individual CVE candidates. This means that we have an entry for the CVE candidate on each of these Hercules Vulnerabilities.

To add a remedy related to a particular CVE name to a remedy group, use the 'Navigation' pane in Hercules and click on 'Manage Remedy Groups'. At this point, create a new remedy group to build a new set of remedies to apply to devices, or pick an existing remedy group if some have already been created. Right click the remedy group and choose 'Add Remedies.'. Enter the CVE or CVE Candidate name in the 'CVE identifiers:' text box in the format of 'CVE-YYYY-NNNN', 'CAN-YYYY-NNNN', or just 'YYYY-NNNN'. Then click the 'Go' button. This will populate a list of remedies available for that CVE. Highlight all of the remedies desired by "Shift-Clicking" to add multiple consecutive remedies or "Ctrl-Clicking" each remedy to be added to the Remedy Group. When all of the desired remedies are selected, click the 'Add' button to add all of the selected remedies to the desired remedy group.

 

18) Finding CVE Names Using Elements in Reports <CR_A.2.2>

Give detailed examples and explanations of how, for reports that identify individual security elements, the tool allows the user to determine the associated CVE names for the individual security elements in the report (required):

CVE information is listed with each vulnerability identified in the reports. The CVE/CAN IDs are hyperlinked back to the appropriate page on the cve.mitre.org site so the user can immediately access additional information as desired.

21) Selecting Tasks Using Individual CVE Names <CR_A.2.6>

Describe the steps that a user would follow to browse, select, and deselect a set of tasks for the tool by using individual CVE names (recommended):

The Hercules Users Guide addresses browsing remedies, reviewing their CVE information, searching for vulnerabilities to select and add to remedy groups. These are tasks a customer may perform in the tool by CAN or CVE. Removing a remedy from a device is addressed in the User's Guide.

To search for vulnerabilities to select and add them your remedy groups by CAN or CVE:

1. Select Manage remedy groups and open your existing remedy group by double clicking on it or create a new remedy group using the New button and then double clicking on your group.
2. Click on Add Remedies.
3. Switch to the Search by Vulnerability tab
4. Enter the YYYY-NNNN portion of the CVE or CAN you are searching for
5. Click Go. The search results will be vulnerabilities that are currently associated with the CVE or CAN provided.
6. You can now click on the vulnerability you wish to add. If you wish to add more than one, simply hold down the control key and click. When you are finished, click the Add button.
7. You have now successfully added vulnerabilities by CVE or CAN to your remedy group. If there are associated remedies, you can enable those remedies and remediate your devices.

To add a custom remedy associated with a CVE or CAN:

1. Click on Manage vulnerabilities
2. Click on New
3. Click the … by CVE IDs
4. Click on the CVE/CAN you wish to add on the right side to highlight it. Click Add. Repeat for all you wish to associate and then click OK
5. Type a Vulnerability name for this custom remedy in the Name field and a description in the Description field. You may optionally populate the other fields. Click OK.
6. Your remedy will now appear in the Vulnerability catalog. Click on Manage remedies
7. Click on New… If your vulnerability is not listed in this dialog box, click the … button and search and select for your vulnerability
8. Select the operating system from the drop down list.
9. It is recommended to leave Global selected. You can add your new remedy to individual devices when you are done. Click OK
10. Add the remedy actions you wish to perform. For more information review the “Remedy Actions Reference” which is located in the Help menu, Hercules documents. Click Done
11. You have now successfully added a new custom remedy for CVE(s)/CAN(s). Use this remedy as you would a Citadel authored remedy.

22) Non-Support Notification for a Requested CVE Name <CR_A.2.7>

Provide a description of how the tool notifies the user that task associated to a selected CVE name cannot be performed (recommended):

If the requested CVE or Candidate name is associated to a vulnerability that has no remedy (i.e., an unsupported task) the remedy does not show up in the Remedy Catalog and when browsing the vulnerability, the remedy and remedy actions section of the page are inactive and "grayed out".

31) Electronic Document Format Info <CR_B.3.1>

Provide details about the different electronic document formats that you provide and describe how they can be searched for specific CVE-related text (required):

We provide PDF documentation, and report output is available as HTML. These formats can be searched using a browser, reader, or editor.

34) Finding Elements Using CVE Names Through the GUI <CR_B.4.1>

Give detailed examples and explanations of how the GUI provides a "find" or "search" function for the user to identify your capability's elements by looking for their associated CVE name(s) (required):

To search for a vulnerability by CVE name in Hercules, click the 'Search' icon at the top left of the Hercules Administrator console. This will open the 'Search for Hercules Assets' page. Enter the CVE information in the format of 'CVE-YYYY-NNNN', 'CAN-YYYY-NNNN', or just 'YYYY-NNNN'. This will list all of the Hercules Vulnerabilities associated to that CVE (see screen capture below). It is possible to have multiple Hercules Vulnerabilities for the same CVE since we integrate with multiple vulnerability scanners and they each correlate their data differently. For example, one scanner may recognize the Microsoft "LSASS Message Length Vulnerability" vulnerability currently identified by CVE Candidate CAN-2003-0533. Another scanner detects that Microsoft Patch MS04-011 is not installed on the machine. This covers nearly 14 individual CVE candidates. This means that we have an entry for the CVE candidate on each of these Hercules Vulnerabilities.

 To add a remedy related to a particular CVE name to a remedy group, use the 'Navigation' pane in Hercules and click on 'Manage Remedy Groups'. At this point, create a new remedy group to build a new set of remedies to apply to devices, or pick an existing remedy group if some have already been created. Right click the remedy group and choose 'Add Remedies.'. Enter the CVE or CVE Candidate name in the 'CVE identifiers:' text box in the format of 'CVE-YYYY-NNNN', 'CAN-YYYY-NNNN', or just 'YYYY-NNNN'. Then click the 'Go' button. This will populate a list of remedies available for that CVE. Highlight all of the remedies desired by "Shift-Clicking" to add multiple consecutive remedies or "Ctrl-Clicking" each remedy to be added to the Remedy Group. When all of the desired remedies are selected, click the 'Add' button to add all of the selected remedies to the desired remedy group.

35) GUI Element to CVE Name Mapping <CR_B.4.2>

Briefly describe how the associated CVE names are listed for the individual security elements or discuss how the user can use the mapping between CVE entries and the capability's elements, also describe the format of the mapping (required):

The Vulnerability Catalog (accessed by clicking the 'Manage Vulnerabilities' link in the 'Navigation' pane of the Hercules Administrator console) gives a complete list of all of the security elements in the product. By highlighting a specific vulnerability, the user may click the 'Browse' button to see information regarding that vulnerability. One of the elements of the 'Browse Vulnerabilities and Remedies' page is the CVE or CVE Candidate name associated to that particular vulnerability.

36) GUI Export Electronic Document Format Info <CR_B.4.3>

Provide details about the different electronic document formats that you provide for exporting or accessing CVE-related data and describe how they can be searched for specific CVE-related text (recommended):

Hercules produces report output in HTML with CVE names as one of the fields. The reports can be searched with a browser.

37) Statement of Compatibility <CR_2.7>

Have an authorized individual sign and date the following Compatibility Statement (required):

"As an authorized representative of my organization I agree that we will abide by all of the mandatory CVE Compatibility Requirements as well as all of the additional mandatory CVE Compatibility Requirements that are appropriate for our specific type of capability."

Name: Carl Banzhof

Title: CTO, Citadel Security Software Inc.

38) Statement of Accuracy <CR_3.4>

Have an authorized individual sign and date the following accuracy Statement (recommended):

"As an authorized representative of my organization and to the best of my knowledge, there are no errors in the mapping between our capability's Repository and the CVE entries our capability identifies."

Name: Carl Banzhof

Title: CTO, Citadel Security Software Inc.

39) Statement on False-Positives and False-Negatives <CR_A.2.8 and/or CR_A.3.5>

FOR TOOLS ONLY - Have an authorized individual sign and date the following statement about your tools efficiency in identification of security elements (required):

"As an authorized representative of my organization and to the best of my knowledge, normally when our capability reports a specific security element, it is generally correct and normally when an event occurs that is related to a specific security element our capability generally reports it."

Name: Carl Banzhof

Title: CTO, Citadel Security Software Inc.