130 likes | 233 Views
The Development of a Common Vulnerability Enumeration Vulnerabilities and Exposures List. Steven M. Christey David W. Baker William H. Hill David E. Mann The MITRE Corporation. Outline. Description Examples Applications to IDS Activities Editorial Board.
E N D
The Development of a Common Vulnerability Enumeration Vulnerabilities and Exposures List Steven M. Christey David W. Baker William H. Hill David E. Mann The MITRE Corporation
Outline • Description • Examples • Applications to IDS • Activities • Editorial Board
What is the CVE (Common Vulnerabilities and Exposures List)? • A list of common information systems security problems (but CISSP was taken) • Vulnerabilities • Problems that are universally thought of as “vulnerabilities” in any security policy • Software flaws that could directly allow serious damage • phf, ToolTalk, Smurf, rpc.cmsd, etc. • Exposures • Problems that are sometimes thought of as “vulnerabilities” in some security policies • Stepping stones for a successful attack • Running finger, poor logging practices, etc.
CVE Goals • Enumerate all publicly known problems • Assign a standard, unique name to each problem • Exist independently of multiple perspectives • Be publicly open and shareable, without distribution restrictions
Why the CVE? • Provide common language for referring to problems • Facilitate data sharing between • IDSes • Assessment tools • Vulnerability databases • Academic research • Incident response teams • Foster better communication across the community • Get better tools that interoperate across multiple vendors
CVE for IDS • Standard name for vulnerability-related attacks • Interoperability • Multi-vendor compatibility • Correlate with assessment tool results to reduce false positives • Share incident data • Consistency of reports • IDS comparisons • Accuracy, coverage, performance • Common attack list • DARPA CIDF and IETF IDWG
CVE from Vulnerability Assessment to IDS Which tools test for these problems? Do my systems have these problems? Does my IDS have the signatures? Tool 1 Popular Attacks IDS CVE-1 CVE-2 CVE-3 CVE-1 CVE-3 CVE-4 CVE-1 CVE-2 CVE-3 CVE-4 Tool 2 CVE-3 CVE-4 I can’t detect exploits of CVE-2 - how well does Tool 1 check for it?
Tool 2 Tool 1 CVE-3 CVE-4 CVE-1 CVE-2 CVE-3 CVE from Attacks to Incident Recovery YES Public Databases I detected an attack on CVE-3. Did my assessment say my system has the problem? CVE-2 CVE-3 Clean up Close the hole Advisories Report the incident CVE-1 CVE-2 CVE-3 NO Don’t send an alarm But the attack succeeded! Tell your vendor Go to YES
CVE Timeline • “Towards a Common Enumeration of Vulnerabilities,” 2nd CERIAS Workshop on Vulnerability Databases (January 1999) • Initial creation of Draft CVE (Feb-April 1999) • 663 vulnerabilities • Data derived from security tools, hacker site, advisories • Formation of Editorial Board (April-May 1999) • Validation of Draft CVE (May-Sept 1999) • Creation of validation process (May-Sept 1999) • Discussion of high-level CVE content (July-Sept 1999) • Public release (Real Soon Now)
The CVE Editorial Board • Experts from more than 15 security-related organizations • Researchers, security tool vendors, mailing list moderators, vulnerability database owners, response teams, system administrators, security analysts • Mailing list discussions • Validation and voting for individual CVE entries • High-level content decisions • Meetings • Face-to-Face • Teleconference • Membership on an as-needed or as-recommended basis
Bringing New Entries into the CVE • Assignment • Candidate number CAN-1999-XXXX to distinguish from validated CVE entry • Candidate Numbering Authority (CNA) reduces “noise” • Proposal • Announcement and discussion • Voting: Accept, Modify, Reject, Recast, Reviewing • Modification • Interim Decision • Final Decision • CVE name(s) assigned if candidate is accepted • Publication