Presentation is loading. Please wait.

Presentation is loading. Please wait.

Common Vulnerabilities and Exposures

Published byEllen Carr Modified over 8 years ago

Similar presentations

Presentation on theme: "Common Vulnerabilities and Exposures"— Presentation transcript:

1 Common Vulnerabilities and Exposures
Steve Christey Margie Zuk June 22, 2000

2 Context: The Vulnerability Life Cycle
Mailing lists, Newsgroups, Hacker sites Start Here Discovery Incident Response Teams Incident Reports Academic Study Advisories Incident Handling Analysis CVE Intrusion Detection Systems Databases Newsletters Detection Collection Protection Vulnerability Assessment Tools

3 A Roadblock to Information Sharing: Same Problem, Different Names

4 The Implications Difficult to correlate data across multiple organizations and tools E.g. IDS and assessment tools E.g. security tools and fix information Incident information Difficult to conduct a detailed comparison of tools or databases Vulnerabilities are counted differently Which is more comprehensive?

5 Common Vulnerabilities and Exposures (CVE): One Common Language
Lists all publicly known security problems Assigns unique identifier to each problem Remains independent of multiple perspectives Is publicly open and shareable Community-wide effort via the CVE Editorial Board

6 Addressing Common Misconceptions of CVE
Not a full-fledged vulnerability database Simplicity avoids competition, limits debate Intended for use by vulnerability database maintainers Not a taxonomy or classification scheme Focuses on vulnerabilities instead of attacks Does not cover activities such as port mapping Not just “vulnerabilities” in the classical sense Definitions of “vulnerability” vary greatly “Exposure” covers a broader notion of “vulnerability” Competing vendors are working together to adopt CVE

7 CVE Editorial Board Members from 25 different organizations including researchers, tool vendors, response teams, and end users Mostly technical representatives Review and approve CVE entries Discuss issues related to CVE maintenance Monthly meetings (face-to-face or phone) Publicly viewable mailing list archives

8 Active Editorial Board Members (as of June 19, 2000)
Tool Vendors David Balenson - NAI Andy Balinsky - Cisco Scott Blake - BindView Andre Frech - ISS Kent Landfield - info-ops.com Jim Magdych - NAI David Mann - BindView Craig Ozancin - AXENT Paul E. Proctor - CyberSafe Mike Prosser - Symantec Marcus Ranum - NFR Steve Schall - Intrusion.com Tom Stracener - Hiverworld Bill Wall - Harris Kevin Ziese - Cisco Response Teams Ken Armstrong - CanCERT Bill Fithen - CERT Coordination Center Scott Lawler - DOD-CERT Academic/Educational Matt Bishop - UC Davis Computer Security Lab Pascal Meunier - Purdue University CERIAS Alan Paller - SANS Institute Gene Spafford - Purdue University CERIAS Network Security Eric Cole - Vista IT Kelly Cooper - GTE Internetworking Information Providers Russ Cooper - NTBugtraq Elias Levy - Bugtraq, Security Focus Ron Nguyen - Ernst and Young Ken Williams - eSecurityOnline.com OS Vendors David LeBlanc - Microsoft Casper Dik - Sun Other Security Analysts Steve Northcutt - SANS Adam Shostack - Zero-Knowledge Systems Stuart Staniford - Silicon Defense MITRE Dave Baker, Steve Christey, Bill Hill

9 CVE Enables Detailed Product Comparisons

10 Using CVE from Advisories to IDSes
Do my systems have these problems? Which tools test for these problems? Does my IDS have the signatures? Tool 1 Popular Attacks IDS CVE-1 CVE-2 CVE-3 CVE-1 CVE-3 CVE-4 CVE-1 CVE-2 CVE-3 CVE-4 Tool 2 CVE-3 CVE-4 I can’t detect exploits of CVE-2 - how well does Tool 1 check for it?

11 Using CVE from Attacks to Incident Recovery
YES I detected an attack on CVE-3. Did my assessment say my system has the problem? Public Databases CVE-2 CVE-3 Clean up Close the hole Advisories Report the incident CVE-1 CVE-2 CVE-3 Tool 2 CVE-3 CVE-4 NO Tool 1 CVE-1 CVE-2 CVE-3 Don’t send an alarm But the attack succeeded! Tell your assessment vendor Go to YES

12 CVE Compatibility Ensures that a tool or database can “speak CVE” and correlate data with other CVE-compatible products Requirements Find items by CVE name (CVE searchable) Include CVE name in output for each item (CVE output) Provide MITRE with database items that are not in CVE yet Good faith effort to keep mappings accurate 25 organizations have declared their intentions to make their products CVE compatible

13 Organizations Working Toward CVE Compatibility
Internet Security Systems Nessus Project Network Associates Network Security Wizards NIST NTBugtraq SANS Institute Security Focus - Bugtraq Symantec (L-3) UC Davis White Hats World Wide Digital Security * * Advanced Research Corp. Alliance Qualité Logiciel AXENT BindView CERIAS/Purdue University CERT Cisco CyberSafe Cyrano Ernst and Young Harris Corp. Hiverworld, Inc. Intrusion.com * CVE already being used in a product =

14 Adding New Entries to CVE
Board member submits raw information to MITRE Submissions are grouped, refined, and proposed back to the Board as candidates Form: CAN-YYYY-NNNN Strong likelihood of becoming CVE-YYYY-NNNN Not a guarantee Delicate balance between timeliness and accuracy Board reviews and votes on candidates Accept, modify, recast, reject, reviewing If approved, the candidate becomes a CVE entry Entry is included in a subsequent CVE version Published on CVE web site Entries may later be modified or deprecated

15 Stages of Security Information in CVE
Submissions Candidates Entries Raw information Obtained from MITRE, Board members, and other data feeds Combined and refined Placed in clusters Proposed to Editorial Board Accepted or rejected Backmap tells submitters what candidates were assigned to their submissions Added to CVE list Submissions, candidates removed from the “pool” Published in an official CVE version ….. ….. CAN CVE ….. ….. CAN <REJECTED> ….. ….. CAN CVE ….. ….. Back-map

16 Content Decisions Explicit guidelines for content of CVE entries
Ensure consistency within CVE Provide “lessons learned” for researchers Three basic types Inclusion What goes into CVE? What doesn’t, and why? Example: weak encryption, bugs in beta code Level of Abstraction Example: default passwords, or multiple bugs in the same application - one or many entries? Format Example: what goes into a CVE description? Challenge: what to do with incomplete information?

17 The CVE Strategy Discovery Products Policy
Unreviewed Bugtraqs, Mailing lists, Hacker sites Discovery Products Policy time Reviewed Advisories CERT, CIAC, Vendor advisories Scanners, Intrusion Detection, Vulnerability Databases Methodologies Purchasing Requirements Education 1. Inject Candidate numbers into advisories 2. Establish CVE at product level in order to... 3. … enable CVE to permeate the policy level.

18 CVE Status as of June 2000 Latest CVE version: 20000602 700 entries
722 additional candidates being reviewed by Editorial Board Received vulnerability databases from 10 organizations Will help create more legacy candidates Processing 10,000 submissions (database items) May produce over 1000 additional candidates? Candidate numbers used in 5 security advisories CVE names included in Top Internet Security Threats list Editorial Board discussing content decisions Affects ~300 candidates

19 Future Directions Add more entries to CVE
Goal: 1000 entries by September 2000 Add entries for all 1999, 2000 advisories Add more candidates Goals: 1000 new candidates by September 2000 Cover 80% of items in each participating tool or database Use CVE identifiers in advisories, newsletters, etc. Use CVE in deeper product analysis Work with users and vendors to establish CVE as a de facto standard

20 For More Information

Download ppt "Common Vulnerabilities and Exposures"

Similar presentations

Usage statistics in context - panel discussion on understanding usage, measuring success Peter Shepherd Project Director COUNTER AAP/PSP 9 February 2005.

Usage statistics in context - panel discussion on understanding usage, measuring success Peter Shepherd Project Director COUNTER AAP/PSP 9 February 2005.
Secure Systems Research Group - FAU Process Standards (and Process Improvement)

Secure Systems Research Group - FAU Process Standards (and Process Improvement)
Federal Desktop Core Configuration and the Security Content Automation Protocol Peter Mell, National Vulnerability Database National Institute of Standards.

Federal Desktop Core Configuration and the Security Content Automation Protocol Peter Mell, National Vulnerability Database National Institute of Standards.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
S&I Framework Provider Directories Initiative esMD Work Group October 19, 2011.

S&I Framework Provider Directories Initiative esMD Work Group October 19, 2011.
Computer Security Workshops Security 101 - Introduction, Central Principles and Concepts.

Computer Security Workshops Security Introduction, Central Principles and Concepts.
Summer 200811 IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.

Summer IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.
Common Vulnerabilities and Exposures (CVE) September 29, 1999 Pete Tasker Margie Zuk Steve Christey, Dave Mann Bill Hill, Dave Baker.

Common Vulnerabilities and Exposures (CVE) September 29, 1999 Pete Tasker Margie Zuk Steve Christey, Dave Mann Bill Hill, Dave Baker.
Introduction to the State-Level Mitigation 20/20 TM Software for Management of State-Level Hazard Mitigation Planning and Programming A software program.

Introduction to the State-Level Mitigation 20/20 TM Software for Management of State-Level Hazard Mitigation Planning and Programming A software program.
Report on Intrusion Detection and Data Fusion By Ganesh Godavari.

Report on Intrusion Detection and Data Fusion By Ganesh Godavari.
An Introduction to the Hennepin County Hennepin County GIS Technical Advisory Group (eGTAG) 10/20/2009.

An Introduction to the Hennepin County Hennepin County GIS Technical Advisory Group (eGTAG) 10/20/2009.
National Institute of Standards and Technology Computer Security Division Information Technology Laboratory Threat Information Sharing; Perspectives, Strategies,

National Institute of Standards and Technology Computer Security Division Information Technology Laboratory Threat Information Sharing; Perspectives, Strategies,
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Vulnerability Assessments

Vulnerability Assessments
Payment Card Industry Data Security Standard (PCI DSS) By Roni Argetsinger 515-237-5007.

Payment Card Industry Data Security Standard (PCI DSS) By Roni Argetsinger
The Development of a Common Vulnerability Enumeration Vulnerabilities and Exposures List Steven M. Christey David W. Baker William H. Hill David E. Mann.

The Development of a Common Vulnerability Enumeration Vulnerabilities and Exposures List Steven M. Christey David W. Baker William H. Hill David E. Mann.
 1 CVE Behind the Scenes: The Complexity of Being Simple Steve Christey The MITRE Corporation July 11, 2001 © 2001 The MITRE Corporation.

 1 CVE Behind the Scenes: The Complexity of Being Simple Steve Christey The MITRE Corporation July 11, 2001 © 2001 The MITRE Corporation.
Chapter 1 Database Systems. Good decisions require good information derived from raw facts Data is managed most efficiently when stored in a database.

Chapter 1 Database Systems. Good decisions require good information derived from raw facts Data is managed most efficiently when stored in a database.

Similar presentations

Ads by Google