Security /

Too much information

New cross-referencing system helps network security vendors describe problems in similar terms.

By DEBORAH RADCLIFF
Network World, 01/31/00

Research is a large part of Gerry Zepp's job as corporate security director for Comstar.net, a business ISP in Atlanta.

Every day, he logs on to the Internet to keep abreast of the latest and greatest security vulnerabilities. He visits Carnegie Mellon's Computer Emergency Response Team (CERT) site and reads advisories, then bops over to Internet Security Systems' Xforce alert page. He also receives numerous Bugtraq mailing lists and other security vendor mailings. But all too often, his search ends in frustration.

For example, Finjan, a mobile-code security vendor, might say that a vulnerability is a Java or ActiveX code problem, while Internet Security Systems will describe the same vulnerability as a back door into the network. "It's a real pain because there's no single point where you can find the right material," Zepp says. "The language is different everywhere."

Take a remote monitoring tool like Back Orifice or NetBus. Virus protection firms describe these threats as viruses, but they're really back doors. "You need a solid background in security to understand two different versions of the same exploit," Zepp says.

Steve Christey used to grapple with the same problem as he assessed security for engineering services firm Mitre's 12,000-node network.

"We'd find 600 vulnerabilities when we used one product, but 230 vulnerabilities when we used another. We couldn't deconflict the Tower of Babel," says Peter Tasker, executive director of Mitre's security and information operation division in Bedford, Mass.

But a few months ago, Christey found a solution. He launched Common Vulnerabilities and Exposures (CVE), a cross-referencing system that will hopefully result in a single, common description for each vulnerability.

Already, CVE has drafted common descriptors for 320 potential risks - everything from buffer overflows in Network File System to denial of service in Internet Explorer 4. Every entry gets a number for cross referencing. And this is what companies, Bugtraq list servers, CERT and others will crossreference their material to.

So far, 11 vendors and 16 security-related groups have bought into CVE. Purdue University's Center for Education and Research in Information Assurance and Security and Security Focus' sites are already CVE-searchable, meaning their alerts reference CVE identification numbers.

In addition, the participating vendors are working on the CVE editorial board, spearheaded by Mitre's Christey, to define and number the vulnerabilities. For example, Internet Security Systems' XForce database of vulnerabilities provided some of the earliest descriptors for CVE.

Christey has the final word on the descriptors, then adds them to the CVE database. Once in the database, vendors will provide links to the CVE descriptors. And as new vulnerabilities arise, the same process will repeat itself.

CVE is not intended to replace vendor alerts, Bugtraq mailing lists, CERT advisories and the like. It only exists to ensure referencing is easier for folks like Zepp. While CVE doesn't provide patches, each

vulnerability in the CVE database includes links to patches and updates.

Chris Williams, senior manager of security research for security tool vendor Network Associates in Santa Clara, sees CVE as a win-win situation for vendors and security professionals.

"So many of these new exploits cross boundaries that it makes defining their nature very difficult," Williams says. "I've done vulnerability assessment work myself. You have to be a genius to figure out what the priorities are when you have more than one vendor's tool in your tool box."

As CVE catches on, expect to see more companies, Bugtraq mailing lists and discussion groups link to the CVE database.

Zepp is already a convert. As president of security services start-up Inprise Security Group in Atlanta, he's been looking for somewhere to send clients for answers after he assesses their networks. "With something like CVE, I can point them to a single place where they can get common explanations of what they're dealing with. I'd use it."

Radcliff is a freelance writer in northern California. She can be reached at derad@aol.com.

Related links

CVE Web site
Includes an FAQ and glossary.

Security Alert
Daily dispatches from the security front from Network World and the 'Net.

Network World on Security
Archive of our free, twice-weekly newsletter.

Center for Education and Research in Information Assurance and Security

Security Focus
Security resources.

Internet Computer Security Association