Presentation is loading. Please wait.

Presentation is loading. Please wait.

CVE.

Published byIolanda Giusti Modified over 5 years ago

Similar presentations

Presentation on theme: "CVE."— Presentation transcript:

1 CVE

2

3 What is a CVE Common Vulnerabilities and Exposures (CVE®) is a list of common identifiers for publicly known cyber security vulnerabilities. Use of "CVE Identifiers (CVE IDs)," which are assigned by CVE Numbering Authorities (CNAs) from around the world, ensures confidence among parties when used to discuss or share information about a unique software vulnerability, provides a baseline for tool evaluation, and enables data exchange for cyber security automation.

4

5

6 Context: The Vulnerability Life Cycle
Mailing lists, Newsgroups, Hacker sites Start Here Discovery Incident Response Teams Incident Reports Academic Study Advisories Incident Handling Analysis CVE Intrusion Detection Systems Databases Newsletters Detection Collection Protection Vulnerability Assessment Tools

7 Implications Difficult to correlate data across multiple organizations and tools E.g. IDS and assessment tools E.g. security tools and fix information Incident information Difficult to conduct a detailed comparison of tools or databases Vulnerabilities are counted differently Which is more comprehensive?

8 Common Vulnerabilities and Exposures (CVE): One Common Language
Lists all publicly known security problems Assigns unique identifier to each problem Remains independent of multiple perspectives Is publicly open and shareable Community-wide effort via the CVE Editorial Board

9 Addressing Common Misconceptions of CVE
Not a full-fledged vulnerability database Simplicity avoids competition, limits debate Intended for use by vulnerability database maintainers Not a taxonomy or classification scheme Focuses on vulnerabilities instead of attacks Does not cover activities such as port mapping Not just “vulnerabilities” in the classical sense Definitions of “vulnerability” vary greatly “Exposure” covers a broader notion of “vulnerability” Competing vendors are working together to adopt CVE

10 CVE Editorial Board Members from 25 different organizations including researchers, tool vendors, response teams, and end users Mostly technical representatives Review and approve CVE entries Discuss issues related to CVE maintenance Monthly meetings (face-to-face or phone) Publicly viewable mailing list archives

11 Adding new entries Board member submits raw information to MITRE
Submissions are grouped, refined, and proposed back to the Board as candidates Form: CAN-YYYY-NNNN Strong likelihood of becoming CVE-YYYY-NNNN Delicate balance between timeliness and accuracy Board reviews and votes on candidates Accept, modify, recast, reject, reviewing If approved, the candidate becomes a CVE entry Entry is included in a subsequent CVE version Published on CVE web site Entries may later be modified or deprecated

12 CVE is: One name for one vulnerability or exposure
One standardized description for each vulnerability or exposure A dictionary rather than a database How disparate databases and tools can "speak" the same language The way to interoperability and better security coverage A basis for evaluation among tools and databases Free for public download and use Industry-endorsed via the CVE Numbering Authorities, CVE Board, and CVE-Compatible Products

13 Why CVE CVE was launched in 1999, as a government US program
different metrics to state the number of vulnerabilities or exposures they detected CVE is now the industry standard for vulnerability and exposure names.

14 CVE Identifier CVE Identifiers (also referred to by the community as "CVE IDs," "CVE entries," "CVE names," "CVE numbers," and "CVEs") are unique, common identifiers for publicly known cyber security vulnerabilities. Each CVE Identifier includes the following: CVE identifier number with four or more digits in the sequence number portion of the ID (i.e., "CVE ", "CVE ", "CVE "). Brief description of the security vulnerability or exposure. Any pertinent references (i.e., vulnerability reports and advisories). CVE Identifiers are used by information security product/service vendors and researchers as a standard method for identifying vulnerabilities and for cross- linking with other repositories that also use CVE Identifiers.

15 CVE IDs have the format CVE-YYYY-NNNNN.
The YYYY portion is the year that the CVE ID was assigned OR the year the vulnerability was made public (if before the CVE ID was assigned). The "Description" portion of CVE Identifier (CVE ID) entries are typically written by CVE Numbering Authorities (CNAs), MITRE's CVE Content Team, or individuals requesting a CVE ID. to write a CVE Description, the MITRE CVE Content Team analyzes public, third- party reports of vulnerabilities (i.e., "references"); extracts the relevant information from each reference; resolves any conflicting information or inconsistent usage of terminology; and then writes the description. Each CVE Identifier includes appropriate References. Each reference used in CVE identifies the source, includes a well-defined identifier to facilitate searching on a source's website, and notes the associated CVE Identifier.

16 State of CVE IDs RESERVED -> it has been reserved for use by a CVE Numbering Authority (CNA) the CVE is populated with details and published on the CVE List, it will become available in the U.S. National Vulnerability Database (NVD) As one of the final steps in the process, the NVD Common Vulnerability Scoring System (CVSS) scores for the CVE ID are assigned by the NIST NVD team. DISPUTED -> When one party disagrees with another party's assertion that a particular issue in software is a vulnerability REJECT -> Not accepted as CVE

17 The Common Vulnerability Scoring System (CVSS) provides an open framework for communicating the characteristics and impacts of IT vulnerabilities.

Download ppt "CVE."

Similar presentations

COUNTER: improving usage statistics Peter Shepherd Director COUNTER December 2006.

COUNTER: improving usage statistics Peter Shepherd Director COUNTER December 2006.
Usage statistics in context - panel discussion on understanding usage, measuring success Peter Shepherd Project Director COUNTER AAP/PSP 9 February 2005.

Usage statistics in context - panel discussion on understanding usage, measuring success Peter Shepherd Project Director COUNTER AAP/PSP 9 February 2005.
Federal Desktop Core Configuration and the Security Content Automation Protocol Peter Mell, National Vulnerability Database National Institute of Standards.

Federal Desktop Core Configuration and the Security Content Automation Protocol Peter Mell, National Vulnerability Database National Institute of Standards.
The COUNTER Code of Practice for Books and Reference Works Peter Shepherd Project Director COUNTER UKSG E-Books Seminar, 9 November 2005.

The COUNTER Code of Practice for Books and Reference Works Peter Shepherd Project Director COUNTER UKSG E-Books Seminar, 9 November 2005.
Report on Intrusion Detection and Data Fusion By Ganesh Godavari.

Report on Intrusion Detection and Data Fusion By Ganesh Godavari.
The Development of a Common Vulnerability Enumeration Vulnerabilities and Exposures List Steven M. Christey David W. Baker William H. Hill David E. Mann.

The Development of a Common Vulnerability Enumeration Vulnerabilities and Exposures List Steven M. Christey David W. Baker William H. Hill David E. Mann.
Common Vulnerabilities and Exposures

Common Vulnerabilities and Exposures
THE DATA CITATION INDEX AN INNOVATIVE SOLUTION TO EASE THE DISCOVERY, USE AND ATTRIBUTION OF RESEARCH DATA MEGAN FORCE 22 FEBRUARY 2014.

THE DATA CITATION INDEX AN INNOVATIVE SOLUTION TO EASE THE DISCOVERY, USE AND ATTRIBUTION OF RESEARCH DATA MEGAN FORCE 22 FEBRUARY 2014.
A Model for Exchanging Vulnerability Information draft-booth-sacm-vuln-model-01 David Waltermire.

A Model for Exchanging Vulnerability Information draft-booth-sacm-vuln-model-01 David Waltermire.
My Resource for Excellence. Canadian Heritage Information Network Creation of the Collections Management Software Review (CMSR) Heather Dunn, CHIN.

My Resource for Excellence. Canadian Heritage Information Network Creation of the Collections Management Software Review (CMSR) Heather Dunn, CHIN.
Promoting Web Services Interoperability Across Platforms, Applications and Programming Languages Basic Profile 1.0 August 12, 2003 Copyright © 2003 by.

Promoting Web Services Interoperability Across Platforms, Applications and Programming Languages Basic Profile 1.0 August 12, 2003 Copyright © 2003 by.
Chapter 1 Database Systems

Chapter 1 Database Systems
Report on Intrusion Detection and Data Fusion By Ganesh Godavari.

Report on Intrusion Detection and Data Fusion By Ganesh Godavari.
Security Automation May 26th, 2010. Security Automation: the challenge “Tower of Babel” – Too much proprietary, incompatible information – Costly – Error.

Security Automation May 26th, Security Automation: the challenge “Tower of Babel” – Too much proprietary, incompatible information – Costly – Error.
© 2010 Health Information Management: Concepts, Principles, and Practice Chapter 5: Data and Information Management.

© 2010 Health Information Management: Concepts, Principles, and Practice Chapter 5: Data and Information Management.
Database Administration

Database Administration
CASE (Computer-Aided Software Engineering) Tools Software that is used to support software process activities. Provides software process support by:- –

CASE (Computer-Aided Software Engineering) Tools Software that is used to support software process activities. Provides software process support by:- –
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright 2010, The World Bank Group. All Rights Reserved. Recommended Tabulations and Dissemination Section B.

Copyright 2010, The World Bank Group. All Rights Reserved. Recommended Tabulations and Dissemination Section B.
Achieving Semantic Interoperability at the World Bank Designing the Information Architecture and Programmatically Processing Information Denise Bedford.

Achieving Semantic Interoperability at the World Bank Designing the Information Architecture and Programmatically Processing Information Denise Bedford.

Similar presentations

Ads by Google