Common Vulnerabilities and Exposures CVE - PowerPoint PPT Presentation

1 / 13
About This Presentation
Title:

Common Vulnerabilities and Exposures CVE

Description:

Matt Bishop - UC Davis Computer Security Lab. Alan Paller - SANS Institute ... MITRE. Steve Christey (Chair) Bill Hill. David Mann. Dave Baker. Other Security Analysts ... – PowerPoint PPT presentation

Number of Views:1091
Avg rating:3.0/5.0
Slides: 14
Provided by: nancy274
Category:

less

Transcript and Presenter's Notes

Title: Common Vulnerabilities and Exposures CVE


1
Common Vulnerabilities and Exposures (CVE)
  • September 29, 1999
  • Pete Tasker
  • Margie Zuk
  • Steve Christey, Dave Mann
  • Bill Hill, Dave Baker

2
Where Does CVE Fit?
Intrusion Detection
Vulnerability Databases
Incident Reporting
CVE
3
Before CVE Same Problem, Different Names
4
After CVEOne Common Language
Description
Name
ToolTalk (rpc.ttdbserverd) buffer overflow
CVE-1999-0003
Buffer overflow in in qpopper
CVE-1999-0006
CGI phf program allows remote command execution
CVE-1999-0067
Windows NT debug-level access bug (a.k.a. Sechole)
CVE-1999-0344
5
How was CVE Developed?From Tools and
Vulnerability Mappings
6
Who Developed CVE? The CVE Editorial Board
Response Teams Bill Fithen - CERT Coordination
Center/ Carnegie Mellon University
Tool Vendors Andy Balinsky - Cisco Scott Blake -
Bindview Natalie Brader - L-3 Security Rob Clyde
- AXENT Andre Frech - ISS Kent Landfield -
NFR Craig Ozancin - AXENT Paul E. Proctor -
CyberSafe Mike Prosser - L-3 Security Steve Snapp
- CyberSafe Bill Wall - Harris Kevin Ziese -
Cisco
Academic/Educational Matt Bishop - UC Davis
Computer Security Lab Alan Paller - SANS
Institute Gene Spafford - Purdue University
CERIAS Pascal Meunier - Purdue University CERIAS
Network Security Kelly Cooper - GTE Internet
Other Security Analysts Russ Cooper -
NTBugtraq Marc Dacier - IBM Elias Levy - Bugtraq,
Security Focus Steve Northcutt - OSD/BMDO Adam
Shostack - Zero-Knowledge Sys Stuart
Staniford-Chen - Silicon Defense
MITRE Steve Christey (Chair) Bill Hill David
Mann Dave Baker
7
What are the Benefits of CVE?
  • Provides common language for referring to
    problems
  • Facilitates data sharing among
  • Intrusion Detection Systems (IDSes)
  • Assessment tools
  • Vulnerability databases
  • Researchers
  • Incident response teams
  • Will lead to improved security tools
  • More comprehensive, better comparisons,
    interoperable
  • Indications and warning systems
  • Will spark further innovations
  • Focal point for discussing critical database
    content issues (e.g. configuration problems)

8
Whats Next for CVE?
  • SANS Network Security Conference (Oct. 6)
  • Training for 1000 system administrators
  • Jeffrey Hunker (NSC) keynote
  • Intrusion detection live exercise (IDnet)
  • Booth with editorial board members demo
  • National Information Systems Security Conference
    (Oct. 19)
  • Two booths with NIAP and with vendors
  • Editorial Board works through resolution of
    remaining naming issues
  • Enhancements provided to the CVE web site to make
    it more useful
  • Expand CVE impact and community through outreach
  • Add other vendor tools, vulnerability sites,
    applications

9
CVE Fostering Better Protection through Better
Information Sharing
Intrusion Detection
Vulnerability Databases
Incident Reporting
CVE
10
Additional Detail
11
CVE Timeline
  • Towards a Common Enumeration of
    Vulnerabilities, 2nd CERIAS Workshop on
    Vulnerability Databases (January 1999)
  • Initial creation of Draft CVE (Feb-April 1999)
  • 663 vulnerabilities
  • Data derived from security tools, hacker site,
    advisories
  • Formation of Editorial Board (April-May 1999)
  • Validation of Draft CVE (May-Sept 1999)
  • Creation of validation process (May-Sept 1999)
  • Discussion of high-level CVE content
    (July-ongoing 1999)
  • Public release (September 1999)

12
The CVE Editorial Board
  • Experts from more than 19 security-related
    organizations
  • Researchers, security tool vendors, mailing list
    moderators, vulnerability database owners,
    response teams, system administrators, security
    analysts
  • Mailing list discussions
  • Validation and voting for individual CVE entries
  • High-level content decisions
  • Meetings
  • Face-to-Face
  • Teleconference
  • Membership on an as-needed or as-recommended
    basis

13
Bringing New Entries into the CVE
  • Assignment
  • Candidate number CAN-1999-XXXX to distinguish
    from validated CVE entry
  • Candidate Numbering Authority (CNA) reduces
    noise
  • Proposal
  • Announcement and discussion
  • Voting Accept, Modify, Reject, Recast, Reviewing
  • Modification
  • Interim Decision
  • Final Decision
  • CVE name(s) assigned if candidate is accepted
  • Publication on CVE web site
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Common Vulnerabilities and Exposures CVE" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!