1 / 13

The Development of a Common Vulnerability Enumeration Vulnerabilities and Exposures List

The Development of a Common Vulnerability Enumeration Vulnerabilities and Exposures List. Steven M. Christey David W. Baker William H. Hill David E. Mann The MITRE Corporation. Outline. Description Examples Applications to IDS Activities Editorial Board.

emiko
Download Presentation

The Development of a Common Vulnerability Enumeration Vulnerabilities and Exposures List

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Development of a Common Vulnerability Enumeration Vulnerabilities and Exposures List Steven M. Christey David W. Baker William H. Hill David E. Mann The MITRE Corporation

  2. Outline • Description • Examples • Applications to IDS • Activities • Editorial Board

  3. What is the CVE (Common Vulnerabilities and Exposures List)? • A list of common information systems security problems (but CISSP was taken) • Vulnerabilities • Problems that are universally thought of as “vulnerabilities” in any security policy • Software flaws that could directly allow serious damage • phf, ToolTalk, Smurf, rpc.cmsd, etc. • Exposures • Problems that are sometimes thought of as “vulnerabilities” in some security policies • Stepping stones for a successful attack • Running finger, poor logging practices, etc.

  4. CVE Goals • Enumerate all publicly known problems • Assign a standard, unique name to each problem • Exist independently of multiple perspectives • Be publicly open and shareable, without distribution restrictions

  5. Why the CVE? • Provide common language for referring to problems • Facilitate data sharing between • IDSes • Assessment tools • Vulnerability databases • Academic research • Incident response teams • Foster better communication across the community • Get better tools that interoperate across multiple vendors

  6. Sample CVE Entries

  7. Sample CVE Mapping

  8. CVE for IDS • Standard name for vulnerability-related attacks • Interoperability • Multi-vendor compatibility • Correlate with assessment tool results to reduce false positives • Share incident data • Consistency of reports • IDS comparisons • Accuracy, coverage, performance • Common attack list • DARPA CIDF and IETF IDWG

  9. CVE from Vulnerability Assessment to IDS Which tools test for these problems? Do my systems have these problems? Does my IDS have the signatures? Tool 1 Popular Attacks IDS CVE-1 CVE-2 CVE-3 CVE-1 CVE-3 CVE-4 CVE-1 CVE-2 CVE-3 CVE-4 Tool 2 CVE-3 CVE-4 I can’t detect exploits of CVE-2 - how well does Tool 1 check for it?

  10. Tool 2 Tool 1 CVE-3 CVE-4 CVE-1 CVE-2 CVE-3 CVE from Attacks to Incident Recovery YES Public Databases I detected an attack on CVE-3. Did my assessment say my system has the problem? CVE-2 CVE-3 Clean up Close the hole Advisories Report the incident CVE-1 CVE-2 CVE-3 NO Don’t send an alarm But the attack succeeded! Tell your vendor Go to YES

  11. CVE Timeline • “Towards a Common Enumeration of Vulnerabilities,” 2nd CERIAS Workshop on Vulnerability Databases (January 1999) • Initial creation of Draft CVE (Feb-April 1999) • 663 vulnerabilities • Data derived from security tools, hacker site, advisories • Formation of Editorial Board (April-May 1999) • Validation of Draft CVE (May-Sept 1999) • Creation of validation process (May-Sept 1999) • Discussion of high-level CVE content (July-Sept 1999) • Public release (Real Soon Now)

  12. The CVE Editorial Board • Experts from more than 15 security-related organizations • Researchers, security tool vendors, mailing list moderators, vulnerability database owners, response teams, system administrators, security analysts • Mailing list discussions • Validation and voting for individual CVE entries • High-level content decisions • Meetings • Face-to-Face • Teleconference • Membership on an as-needed or as-recommended basis

  13. Bringing New Entries into the CVE • Assignment • Candidate number CAN-1999-XXXX to distinguish from validated CVE entry • Candidate Numbering Authority (CNA) reduces “noise” • Proposal • Announcement and discussion • Voting: Accept, Modify, Reject, Recast, Reviewing • Modification • Interim Decision • Final Decision • CVE name(s) assigned if candidate is accepted • Publication

More Related