[ISN] A common language for security vulnerabilities

From: InfoSec News (isnat_private)
Date: Sun May 27 2001 - 03:14:00 PDT

  • Next message: InfoSec News: "[ISN] Worldwide spying network is revealed"

    By Laura Taylor  
    ZDNet Business & Technology
    May 24, 2001 3:15 PM ET 
    When hackers want to breach your systems, they typically look for
    well-known security flaws and bugs to exploit. In the past, vendors
    and hackers gave different names to the same vulnerabilities. One
    company might package a group of five vulnerabilities into a patch or
    service pack and call it by one name, while another vendor might call
    the same group by five separate names. This confused IT decision
    makers who evaluated security products. It was difficult to compare
    scanning and intrusion detection tools because the vulnerabilities and
    exposures that they checked for had different names depending on the
    vendor's naming conventions.
    Fortunately, MITRE is changing that.
    MITRE, a non-profit systems engineering corporation, has created a
    standard Common Vulnerabilities and Exposures (CVE) list. Thanks to
    the CVE list, you can now evaluate three security vulnerability
    scanners and ask, "How many CVEs does the tool cover?" and have a
    valid basis for comparison.
    When one of MITRE's trusted data sources discovers a potential CVE
    entry, MITRE's CVE editorial review board assigns it a candidate name
    and number. The CVE editorial review board then reviews the candidate
    to make sure it is not already a candidate or a live entry, and then
    votes whether to accept it as a CVE entry. MITRE's CVE editorial
    review board consists of security experts from not only MITRE, but
    also the broader security community, and includes experts from
    security consulting companies that are not aligned with any vendor or
    All security vendors should adopt MITRE's nomenclature. There is no
    fee for obtaining the CVE list, and in fact you can download the
    entire list with a click from MITRE's site. With no other competing
    nomenclature standards for common vulnerabilities and exposures,
    MITRE's list is the end all and be all of common vulnerability and
    exposures for system and network security.
    The CVE list makes it easier for security vendors to develop intrusion
    detection and scanning tools. As more IT decision makers understand
    the meaning of CVE, products with CVE-compatible names will likely
    receive a better reception on the market. According to Marcus Ranum,
    CTO of NFR Security, a leading maker of intrusion detection products,
    "It's critical to have all IDS products report detected
    vulnerabilities using a common language. That way product 'A' doesn't
    tell you it's found a 'SYN flood attack' while product 'B' tells you
    it's found a 'SYN denial of service'-- it saves time for the end
    customer who needs to correlate information."
    For network managers, products that contain CVE-compatible names make
    it easier to handle day-to-day security issues. Security
    administrators can find out and tally how many entries on the CVE list
    they have covered.
    Some products currently containing CVE-compatible names include: 
    - NFR's IDS
    - PentaSECURITY's Siren(IDS)
    - Qualys' QualysGuard
    - ISS' Internet Scanner
    - Symantec's Enterprise Security Manager
    - BindView's HackerShield
    - PGP's CyberCop Scanner
    Moving forward, one of the biggest challenges for MITRE will be
    quickly classifying new CVE entries. According to MITRE, today there
    are 1,510 CVE names. With new vulnerabilities being found every day, a
    speedy review and naming process is crucial.
    MITRE's CVE development has been instrumental in untangling and
    verifying the wacky jargon of security vulnerability names, and all
    eyes are on them to lead the way in managing this complicated process.
    Laura Taylor is the Chief Technology Officer and founder of Relevant
    Technologies. Ms. Taylor has 17 years of experience in IT operations
    with a focus in information security. She has worked as Director of
    Information Security at Navisite and as CIO of Schafer Corp., a
    weapons development contractor for the Department of Defense.
    ISN is hosted by SecurityFocus.com
    To unsubscribe email isn-unsubscribeat_private

    This archive was generated by hypermail 2b30 : Sun May 27 2001 - 03:31:41 PDT