The first official dictionary defining terms used to discuss computer systems vulnerabilities has been released. It may be scary reading for laymen, but it's been long awaited by those working to defend against cyberthreats.
Those on the front lines have had to fight the dark side of the hacker community, people who try to break into systems by exploiting bugs. They've also had to fight confusion arising from the fact that each of those bugs goes by many different names, registered in many different databases by vendors and security organizations, according to Peter Tasker, executive director of security and information at Mitre.
Mitre, a nonprofit engineering company based in Bedford, Mass., is the standard bearer of the Common Vulnerabilities and Exposures (CVE) dictionary and its electronic host (it is available at http://www.cve.mitre.org. Thus far the dictionary contains 321 entries, mostly bugs in operating systems such as in Windows NT, various Unix flavors and Linux.
Tasker gave the example of a bug that opens the way for an attack on Unix systems. The bug had 10 different names, given by different organizations such as Cisco, IBM and the Computer Emergency Response Team, a government supported organization at Carnegie Mellon University, in Pittsburgh.
Having one common language will result in better tools for detecting intrusion and analyzing how vulnerable a system is, Tasker says.
Also, it will be easier to provide "the right medicine for the right disease," says Christopher Klaus, founder and chief technology officer at the software vendor Internet Security Systems Inc.
"It will help customers to handle their security better," Klaus says. Buyers of software currently have a tough job: When a piece of out-of-the-box software is bought, they often have to download several patches before the system is safe enough to run.
"Many of the issues come from software vendors trying too rapidly to get the software out of the door," Klaus says. Also, there is a lack of knowledge about vulnerabilities in the development phase.
Programmers may not understand the impact of their code when the product ships, and weaknesses may not come to light until somebody outside has made an analysis, Klaus says.
The SANS Institute, representing 62,000 systems administrators and security professionals, also applauded the initiative taken by Mitre. Currently, SANS members have to read though piles of papers in the hope of staying updated on vulnerabilities, said Stephen Northcutt, director of SANS' intrusion detection program.
"And when CVE hits the point of 1,000 entries, it will be a powerful tool," Northcutt says.
Steve Christey, senior software analyst at Mitre, has identified 663 issues, half of them included in CVE. The rest are still being discussed by the 19-member editorial board, which consists of software tool vendors and security experts from academia and other organizations.
Achieving agreement has not been easy, because what might be seen as a threat by one, might be seen as a necessary function by others, according to Mitre.
So far Mitre has no intention of looking for statistics in the CVE content, but Tasker jokingly talked of instituting a not-very-welcome prize to the software vendor with most entries in CVE.
While SANS' Northcutt says that the CVE will have an educational influence, its authors hope that at least one group doesn't learn too much from it.
"We did not want to be accused of providing crackers with information. That is why we have limited it to being a dictionary, without cross references, without hyperlinks to where the problem is discussed in details," Tasker says.
Mitre can be reached at 781-271-2000 or at http://www.mitre.org/.
Tell us your thoughts on this article or the issues it raises.