1 / 13

Common Vulnerabilities and Exposures (CVE)

Common Vulnerabilities and Exposures (CVE). September 29, 1999 Pete Tasker Margie Zuk Steve Christey, Dave Mann Bill Hill, Dave Baker. Where Does CVE Fit?. Intrusion Detection. Vulnerability Databases. Incident Reporting. CVE. Before CVE: Same Problem, Different Names.

maximilian
Download Presentation

Common Vulnerabilities and Exposures (CVE)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Common Vulnerabilities and Exposures (CVE) September 29, 1999 Pete Tasker Margie Zuk Steve Christey, Dave Mann Bill Hill, Dave Baker

  2. Where Does CVE Fit? Intrusion Detection Vulnerability Databases Incident Reporting CVE

  3. Before CVE: Same Problem, Different Names

  4. After CVE:One Common Language Description Name ToolTalk (rpc.ttdbserverd) buffer overflow CVE-1999-0003 Buffer overflow in in qpopper CVE-1999-0006 CGI phf program allows remote command execution CVE-1999-0067 Windows NT debug-level access bug (a.k.a. Sechole) CVE-1999-0344

  5. How was CVE Developed?From Tools and Vulnerability Mappings

  6. Who Developed CVE? The CVE Editorial Board Response Teams Bill Fithen - CERT Coordination Center/ Carnegie Mellon University Tool Vendors Andy Balinsky - Cisco Scott Blake - Bindview Natalie Brader - L-3 Security Rob Clyde - AXENT Andre Frech - ISS Kent Landfield - NFR Craig Ozancin - AXENT Paul E. Proctor - CyberSafe Mike Prosser - L-3 Security Steve Snapp - CyberSafe Bill Wall - Harris Kevin Ziese - Cisco Academic/Educational Matt Bishop - UC Davis Computer Security Lab Alan Paller - SANS Institute Gene Spafford - Purdue University CERIAS Pascal Meunier - Purdue University CERIAS Network Security Kelly Cooper - GTE Internet Other Security Analysts Russ Cooper - NTBugtraq Marc Dacier - IBM Elias Levy - Bugtraq, Security Focus Steve Northcutt - OSD/BMDO Adam Shostack - Zero-Knowledge Sys Stuart Staniford-Chen - Silicon Defense MITRE Steve Christey (Chair) Bill Hill David Mann Dave Baker

  7. What are the Benefits of CVE? • Provides common language for referring to problems • Facilitates data sharing among • Intrusion Detection Systems (IDSes) • Assessment tools • Vulnerability databases • Researchers • Incident response teams • Will lead to improved security tools • More comprehensive, better comparisons, interoperable • Indications and warning systems • Will spark further innovations • Focal point for discussing critical database content issues (e.g. configuration problems)

  8. What’s Next for CVE? • SANS Network Security Conference (Oct. 6) • Training for 1000 system administrators • Jeffrey Hunker (NSC) keynote • Intrusion detection live exercise (IDnet) • Booth with editorial board members & demo • National Information Systems Security Conference (Oct. 19) • Two booths: with NIAP and with vendors • Editorial Board works through resolution of remaining naming issues • Enhancements provided to the CVE web site to make it more useful • Expand CVE impact and community through outreach • Add other vendor tools, vulnerability sites, applications

  9. CVE: Fostering Better Protection through Better Information Sharing Intrusion Detection Vulnerability Databases Incident Reporting CVE

  10. Additional Detail

  11. CVE Timeline • “Towards a Common Enumeration of Vulnerabilities,” 2nd CERIAS Workshop on Vulnerability Databases (January 1999) • Initial creation of Draft CVE (Feb-April 1999) • 663 vulnerabilities • Data derived from security tools, hacker site, advisories • Formation of Editorial Board (April-May 1999) • Validation of Draft CVE (May-Sept 1999) • Creation of validation process (May-Sept 1999) • Discussion of high-level CVE content (July-ongoing 1999) • Public release (September 1999)

  12. The CVE Editorial Board • Experts from more than 19 security-related organizations • Researchers, security tool vendors, mailing list moderators, vulnerability database owners, response teams, system administrators, security analysts • Mailing list discussions • Validation and voting for individual CVE entries • High-level content decisions • Meetings • Face-to-Face • Teleconference • Membership on an as-needed or as-recommended basis

  13. Bringing New Entries into the CVE • Assignment • Candidate number CAN-1999-XXXX to distinguish from validated CVE entry • Candidate Numbering Authority (CNA) reduces “noise” • Proposal • Announcement and discussion • Voting: Accept, Modify, Reject, Recast, Reviewing • Modification • Interim Decision • Final Decision • CVE name(s) assigned if candidate is accepted • Publication on CVE web site

More Related