Search /
Advanced search  |  Help  |  Site map
Click for Layer 8! No, really, click NOW!
Networking for Small Business
Where's my gigabit Internet, anyway?
Americans cool with lab-grown organs, but not designer babies
IE6: Retired but not dead yet
Enterprise who? Google says little about Apps, business cloud services in Q1 report
DDoS Attackers Change Techniques To Wallop Sites
Can we talk? Internet of Things vendors face a communications 'mess'
AMD's profitability streak ends at two quarters
Michaels says breach at its stores affected nearly 3M payment cards
Exclusive: Google's Project Loon tests move to LTE band in Nevada
H-1B loophole may help California utility offshore IT jobs
How a cyber cop patrols the underworld of e-commerce
For Red Hat, it's RHEL and then…?
Will the Internet of Things Become the Internet of Broken Things?
Kill switches coming to iPhone, Android, Windows devices in 2015
Israeli start-up, working with GE, out to detect Stuxnet-like attacks
Galaxy S5 deep-dive review: Long on hype, short on delivery
Google revenue jumps 19 percent but still disappoints
Windows XP's retirement turns into major security project for Chinese firm
Teen arrested in Heartbleed attack against Canadian tax site
Still deploying 11n Wi-Fi?  You might want to think again
Collaboration 2.0: Old meets new
9 Things You Need to Know Before You Store Data in the Cloud
Can Heartbleed be used in DDoS attacks?
Secure browsers offer alternatives to Chrome, IE and Firefox
Linksys WRT1900AC Wi-Fi router: Faster than anything we've tested

New dictionary defines cyberthreats

Today's breaking news
Send to a friendFeedback

The first official dictionary defining terms used to discuss computer systems vulnerabilities has been released. It may be scary reading for laymen, but it's been long awaited by those working to defend against cyberthreats.

Those on the front lines have had to fight the dark side of the hacker community, people who try to break into systems by exploiting bugs. They've also had to fight confusion arising from the fact that each of those bugs goes by many different names, registered in many different databases by vendors and security organizations, according to Peter Tasker, executive director of security and information at Mitre.

Mitre, a nonprofit engineering company based in Bedford, Mass., is the standard bearer of the Common Vulnerabilities and Exposures (CVE) dictionary and its electronic host (it is available at Thus far the dictionary contains 321 entries, mostly bugs in operating systems such as in Windows NT, various Unix flavors and Linux.

Tasker gave the example of a bug that opens the way for an attack on Unix systems. The bug had 10 different names, given by different organizations such as Cisco, IBM and the Computer Emergency Response Team, a government supported organization at Carnegie Mellon University, in Pittsburgh.

Having one common language will result in better tools for detecting intrusion and analyzing how vulnerable a system is, Tasker says.

Also, it will be easier to provide "the right medicine for the right disease," says Christopher Klaus, founder and chief technology officer at the software vendor Internet Security Systems Inc.

"It will help customers to handle their security better," Klaus says. Buyers of software currently have a tough job: When a piece of out-of-the-box software is bought, they often have to download several patches before the system is safe enough to run.

"Many of the issues come from software vendors trying too rapidly to get the software out of the door," Klaus says. Also, there is a lack of knowledge about vulnerabilities in the development phase.

Programmers may not understand the impact of their code when the product ships, and weaknesses may not come to light until somebody outside has made an analysis, Klaus says.

The SANS Institute, representing 62,000 systems administrators and security professionals, also applauded the initiative taken by Mitre. Currently, SANS members have to read though piles of papers in the hope of staying updated on vulnerabilities, said Stephen Northcutt, director of SANS' intrusion detection program.

"And when CVE hits the point of 1,000 entries, it will be a powerful tool," Northcutt says.

Steve Christey, senior software analyst at Mitre, has identified 663 issues, half of them included in CVE. The rest are still being discussed by the 19-member editorial board, which consists of software tool vendors and security experts from academia and other organizations.

Achieving agreement has not been easy, because what might be seen as a threat by one, might be seen as a necessary function by others, according to Mitre.

So far Mitre has no intention of looking for statistics in the CVE content, but Tasker jokingly talked of instituting a not-very-welcome prize to the software vendor with most entries in CVE.

While SANS' Northcutt says that the CVE will have an educational influence, its authors hope that at least one group doesn't learn too much from it.

"We did not want to be accused of providing crackers with information. That is why we have limited it to being a dictionary, without cross references, without hyperlinks to where the problem is discussed in details," Tasker says.

Mitre can be reached at 781-271-2000 or at


Tell us your thoughts on this article or the issues it raises.

NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.