The first official dictionary defining terms used to discuss computer systems vulnerabilities was released yesterday, and while it may be scary reading for laymen, it's been long-awaited by those working to defend against cyber-threats.
Those on the front lines have had to fight more than the dark side of the hacker community, people who try to break into systems by exploiting bugs. They also have had to fight confusion arising from the fact that each of those bugs goes by many different names, registered in many different databases by vendors and security organizations, according to Peter Tasker, executive director of security and information at Mitre Corp.
Mitre, a nonprofit engineering company based in Bedford, Massachusetts, is the standard bearer of the Common Vulnerabilities and Exposures (CVE) dictionary and also its electronic host (it is available at http://www.cve.mitre.org). Thus far the dictionary contains 321 entries, mostly bugs in operating systems such as in Windows NT, various Unix flavors and Linux.
Tasker yesterday gave the example of a bug that opens the way for an attack on Unix systems. The bug had 10 different names, given by different organizations such as Cisco Systems Inc., IBM Corp. and CERT (Computer Emergency Response Team), a government supported organization at Carnegie Mellon University, in Pittsburgh.
Having one common language will result in better tools for detecting intrusion and analyzing how vulnerable a system is, Tasker said.
Also, it will be easier to provide "the right medicine for the right disease," said Christopher Klaus, founder and chief technology officer at the software vendor Internet Security Systems Inc.
"It will help customers to handle their security better," Klaus said. Buyers of software currently have a tough job: When a piece of out-of-the-box software is bought, they often have to download several patches before the system is safe enough to run, he added.
"Many of the issues come from software vendors trying too rapidly to get the software out of the door," Klaus said. Also, there is a lack of knowledge about vulnerabilities in the development phase, he said.
Programmers may not understand the impact of their code when the product ships, and weaknesses may not come to light until somebody outside has made an analysis, Klaus said.
The SANS Institute, representing 62,000 systems administrators and security professionals, also applauded the initiative taken by Mitre. Currently, SANS members have to read though piles of papers in the hope of staying updated on vulnerabilities, said Stephen Northcutt, director of SANS's intrusion detection program.
"And when CVE hits the point of 1,000 entries, it will be a powerful tool," Northcutt said.
Steve Christey, senior software analyst at Mitre, has identified 663 issues, half of them included in CVE. The rest are still being discussed by the 19-member editorial board, which consists of software tool vendors and security experts from academia and other organizations.
Achieving agreement has not been easy, because what might be seen as a threat by one, might be seen as a necessary function by others, according to Mitre.
So far Mitre has no intention of looking for statistics in the CVE content, but Tasker jokingly talked of instituting a not-very-welcome prize to the software vendor with most entries in CVE.
While SANS's Northcutt said that the CVE will have an educational influence, its authors hope that at least one group doesn't learn too much from it.
"We did not want to be accused of providing crackers with information. That is why we have limited it to being a dictionary, without cross references, without hyperlinks to where the problem is discussed in details," said Tasker.
Mitre Corp., based in Bedford, Massachusetts, can be reached at +1-781-271-2000 or at http://www.mitre.org/.