 |
 |
 |
 |
| |
|||||
|
|
|
Home > News & Events > MITRE Publications > The MITRE Digest > | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Enabling Enterprise Security with CVE November 2001
In the world of hackers versus computer programmers, there are no small mistakes. Last year, a computer hacker took advantage of a coding mistake and broke into a hospital's computer system and downloaded thousands of medical records. The hacker's activities went unnoticed until the hacker went public, and even then, the hospital initially denied his claims. The next day, the hospital confirmed the intrusion.*
Mistakes in software code—anything from a typo, a math error, incomplete
logic, poor configuration, or incorrect use of a function or command,
to an oversight in the requirements guiding the design and coding—can
result in security complications. When they do, the mistakes are referred
to as vulnerabilities or exposures. An entire industry of information
security products and services now exists to help you protect your networks
and systems from being exploited by the hackers and crackers who would
use them to gain unauthorized access. MITRE's Information Security Group has played a significant role in this field through the creation of "CVE," or Common Vulnerabilities and Exposures, a list or dictionary that provides a single, common name for a single security vulnerability or exposure. CVE's common names give the security tools and services you use to protect your systems a way to communicate with each other that did not exist prior to the creation of CVE. It also provides a way to compare which tools provide what coverage. * Sullivan, Bob, "Hospital confirms Hack Incident," MSNBC, Dec. 9, 2000. Protecting Your Network and Systems A vulnerability or exposure might exist in any single piece of software or hardware, or be created when one or more of these items are used together. A variety of tools exists to help you locate and fix such occurrences, including vulnerability databases, vulnerability scanners, intrusion detection systems (IDSs), and similar Internet-based services. To keep their products up-to-date, tool and service providers have to
continuously gather new vulnerability information. This data is researched
by the organization itself, or is obtained from external sources—such
as security newsletters, notification services, and public information
Web sites that are made available to the public by commercial organizations,
the government, and other sources (see Table 1). Table 1: Vulnerability Information
Sources
While many sources exist for finding out about vulnerabilities, historically, each source or company has used its own approach for quantifying, naming, describing, and sharing the information about the vulnerabilities it finds. This directly affects your networks and systems when tools and products from different companies are used together and each product refers to the same vulnerability by a different name (see Table 2), resulting in confusion at the least and incomplete coverage at the worst. Also, any vulnerabilities or exposures found within the systems then need to be fixed. Unless your software vendors use the same vulnerability descriptions and names as the sources in Table 1, it may be difficult to find the appropriate patch or fix. Table 2: The Vulnerability Tower of Babel
In 1999, MITRE created CVE to act as a bridge between the different tools and services. Today, CVE is an international, community effort that has grown from the original 321 official CVE entries (also called "names") to more than 1,600 entries. In addition, CVE includes 1,800 CVE candidates, or CANs, which are those vulnerabilities or exposures under consideration for acceptance into CVE. This means that there are currently 3,400 unique issues with publicly
known names available on MITRE’s CVE
CVE is publicly available and free to use. Through open and collaborative discussions, members of the CVE Editorial Board decide which vulnerabilities or exposures will be included in CVE, and then determine the common name, description, and references for each entry. Editorial Board members come from numerous information security-related organizations around the world, such as software and tool vendors, research institutions, government agencies, and academia. Products and services that incorporate CVE names are referred to as "CVE-compatible," meaning that they can cross-link with other products and services that use CVE names. To be CVE-compatible, products or services must beCVE searchableso that a user can search using a CVE name to find related information, and any output must be presented in a manner that includes the related CVE name(s) or CAN(s). CVE compatibility facilitates the exchange of vulnerability information and makes it easier to share data in a vendor-independent manner. MITRE maintains the CVE List and Web site, manages the compatibility process, moderates editorial board discussions, and provides guidance to ensure that CVE remains objective and continues to serve the public interest. Enterprise Security Enabled by CVE In a CVE-enabled process, CVE-compatible products and services act as a bridge. For example, in figure 2, an organization is able to detect an ongoing attack with its CVE-compatible IDS system (A). In a CVE-compatible IDS, specific vulnerabilities that are susceptible to the detected attack are provided as part of the attack report. This information can then be compared against the latest vulnerability scan by your CVE-compatible scanner (B) to determine whether your enterprise has one of the vulnerabilities or exposures that can be exploited by the attack. If it does, you can then access a CVE-compatible fix database from your product vendor, or you can use the services of a vulnerability Web site, which lets you identify (C) the location of the fix for a CVE entry (D), if one exists.
Figure 1: A CVE-Enabled Process Using CVE-compatible products also allows you to improve how your organization responds to security advisories. If the advisory is CVE-compatible, you can see if your scanners check for this threat and then determine whether your IDS has the appropriate attack signatures. If you build or maintain systems for customers, the CVE compatibility of advisories will help you to directly identify any fixes from the vendors of the commercial software products in those systems (if the vendor fix site is CVE-compatible). The result is a much more structured and predictable process for handling advisories than most organizations currently possess. As with the CVE Editorial Board, the list of organizations working on or delivering CVE-compatible products is international in scope. Currently there are 35+ organizations working toward compatibility for 60+ products and services, including software vendors who have added CVE names to their alerts and to their software patch and update sites. The changes in tools and services brought about by the adoption and support of CVE allow more systematic and predictable handling of security incidents. As more vendors respond to user requests for CVE compatibility, the complete cycle of finding, analyzing, and fixing vulnerabilities will be addressed—moving this part of securing the enterprise from art to science. Refer to the CVE Web site for the most up-to-date information. For a more in depth discussion of this topic, read "The Vulnerabilities of Developing on the Net" by Robert A. Martin, CVE Team member and principal engineer in MITRE's Information Technologies division.
Page last updated: May 20, 2001 | Top of page |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Solutions That Make a Difference.® |
|
|
