A common language for security vulnerabilities

[InfoSec News <isn () c4i org>]

http://www.zdnet.com/enterprise/stories/main/0,10228,2765107,00.html

By Laura Taylor  
ZDNet Business & Technology
May 24, 2001 3:15 PM ET 

When hackers want to breach your systems, they typically look for
well-known security flaws and bugs to exploit. In the past, vendors
and hackers gave different names to the same vulnerabilities. One
company might package a group of five vulnerabilities into a patch or
service pack and call it by one name, while another vendor might call
the same group by five separate names. This confused IT decision
makers who evaluated security products. It was difficult to compare
scanning and intrusion detection tools because the vulnerabilities and
exposures that they checked for had different names depending on the
vendor's naming conventions.

Fortunately, MITRE is changing that.

MITRE, a non-profit systems engineering corporation, has created a
standard Common Vulnerabilities and Exposures (CVE) list. Thanks to
the CVE list, you can now evaluate three security vulnerability
scanners and ask, "How many CVEs does the tool cover?" and have a
valid basis for comparison.

When one of MITRE's trusted data sources discovers a potential CVE
entry, MITRE's CVE editorial review board assigns it a candidate name
and number. The CVE editorial review board then reviews the candidate
to make sure it is not already a candidate or a live entry, and then
votes whether to accept it as a CVE entry. MITRE's CVE editorial
review board consists of security experts from not only MITRE, but
also the broader security community, and includes experts from
security consulting companies that are not aligned with any vendor or
product.

All security vendors should adopt MITRE's nomenclature. There is no
fee for obtaining the CVE list, and in fact you can download the
entire list with a click from MITRE's site. With no other competing
nomenclature standards for common vulnerabilities and exposures,
MITRE's list is the end all and be all of common vulnerability and
exposures for system and network security.

The CVE list makes it easier for security vendors to develop intrusion
detection and scanning tools. As more IT decision makers understand
the meaning of CVE, products with CVE-compatible names will likely
receive a better reception on the market. According to Marcus Ranum,
CTO of NFR Security, a leading maker of intrusion detection products,
"It's critical to have all IDS products report detected
vulnerabilities using a common language. That way product 'A' doesn't
tell you it's found a 'SYN flood attack' while product 'B' tells you
it's found a 'SYN denial of service'-- it saves time for the end
customer who needs to correlate information."

For network managers, products that contain CVE-compatible names make
it easier to handle day-to-day security issues. Security
administrators can find out and tally how many entries on the CVE list
they have covered.

Some products currently containing CVE-compatible names include: 

- NFR's IDS
- PentaSECURITY's Siren(IDS)
- Qualys' QualysGuard
- ISS' Internet Scanner
- Symantec's Enterprise Security Manager
- BindView's HackerShield
- PGP's CyberCop Scanner

Moving forward, one of the biggest challenges for MITRE will be
quickly classifying new CVE entries. According to MITRE, today there
are 1,510 CVE names. With new vulnerabilities being found every day, a
speedy review and naming process is crucial.

MITRE's CVE development has been instrumental in untangling and
verifying the wacky jargon of security vulnerability names, and all
eyes are on them to lead the way in managing this complicated process.


Laura Taylor is the Chief Technology Officer and founder of Relevant
Technologies. Ms. Taylor has 17 years of experience in IT operations
with a focus in information security. She has worked as Director of
Information Security at Navisite and as CIO of Schafer Corp., a
weapons development contractor for the Department of Defense.




ISN is hosted by SecurityFocus.com
---
To unsubscribe email isn-unsubscribe () SecurityFocus com.