[ISN] A Dictionary For Vulnerabilities

From: InfoSec News (isnat_private)
Date: Mon Jun 23 2003 - 23:26:07 PDT

  • Next message: InfoSec News: "[ISN] 'Heads on block' over Comedy Terrorist's royal party stunt"

    http://security.ziffdavis.com/article2/0,3973,1134336,00.asp
    
    By Larry Seltzer 
    June 23, 2003 
    
    CVE gives users, vendors, and toolmakers a common vocabulary for
    vulnerabilities. Unfortunately, the bad guys move quite a bit faster.
    
    If you ever read security vulnerabilities you eventually run into a
    notation looking like "CVE-2002-0947." This is a standard naming
    convention for vulnerabilities called Common Vulnerabilities and
    Exposures (CVE). CVE is administered by a company called Mitre, a
    non-profit company that operates governmental research facilities and
    other such cool things. In addition to hosting the CVE list, Mitre
    acts as the editor for aspects of list development. But the most
    important decisions are made by an editorial board with
    representatives of security and software firms.
    
    CVE is an important part of modern security efforts but it could be
    more important. The main function of CVE is to provide
    security-related programs a common naming set for vulnerabilities on
    which they may operate. Security products, vulnerability scanners for
    example, usually provide mappings to CVE names. For example, Netcraft
    has a network vulnerability scanning service called Netcraft Network
    Examination which provides mappings to CVE names for the
    vulnerabilities it finds. The CVE site has a list of CVE-compatible
    products, including an entry for Netcraft.
     
    The CVE gets its initial reports from a variety of respectable
    sources, including the SecurityFocus vulnerabilities list and the
    Internet Security Systems monthly Security Alert Summary. These
    sources are monitored by a group of Mitre analysts. When a new
    vulnerability or exposure comes up it becomes a candidate for a CVE
    entry and gets a CAN entry in the list, such as CAN-2003-9876.
    
    What is an exposure as opposed to a vulnerability? A vulnerability is
    a bug which results in a security problem; an exposure is a potential
    security problem resulting from correct behavior. For example, many
    operating systems and applications will come with default root/admin
    passwords of "password" or just be blank. This is correct behavior,
    but it's a potential source of trouble.
    
    I can't figure out for sure from the CVE site how a candidate becomes
    a candidate, and Mitre never got back to me. It looks like Mitre
    analysts make these decisions on their own, which is perhaps the best
    way to do it.
    
    But the overly-formal structure of CVE keeps the data in the system
    old, limiting the usefulness. It seems to take a while before
    candidates are entered, and it can take months, seemingly ages, before
    they formally enter the list. Consider the MS SQL Server Slammer worm:  
    the vulnerability behind it is still listed as a candidate, although 3
    members of the editorial board have voted to accept it. This is a very
    old vulnerability.
    
    In many ways the most recent vulnerabilities are the most important
    ones, so if a vulnerability list is not reasonably up to date it's not
    useful. CVE is pretty out of date. As a result, CVE-compatible
    programs have to function without CVE names. In a sense this makes the
    CVE names a redundant capability, but where they exist they do add to
    the interoperability between security products of different vendors
    and the ability of administrators to digest reports.
    
    Unfortunately, the mapping of vulnerabilities between different tools
    is not always very clean, even with CVE. Different tools address CVEs
    differently; for instance, a vendor patch might address part of a CVE
    or multiple CVEs. Testers might have to design one test for multiple
    CVEs or multiple tests for one.
    
    It's interesting to compare this with the informal naming system that
    exists for viruses. Did you ever wonder how viruses get names like
    "W32.Sobig.C@mm?" Part of it is a standard system showing the platform
    and version, but the actual name part is created by researchers from
    various vendors who exchange information with each other on mailing
    lists as new outbreaks emerge. As with new elements and species,
    usually the first researcher to find a virus gets to name it, usually
    based on some string in or other characteristic of the virus. But if
    Marconi and Tesla can simultaneously invent radio, surely it's
    possible for two researchers to discover the same virus in the wild.  
    Some have suggested that the antivirus industry needs a committee like
    CVE to name viruses. I think the last thing we need is a way to slow
    down virus research.
    
    Security Supersite Editor Larry Seltzer has worked in and written
    about the computer industry since 1983.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Tue Jun 24 2003 - 01:19:36 PDT