NC1701
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
SECURITYUPDATE<br />
THE NAMING OF RISK<br />
ACCURATE DEFINITION IS ESSENTIAL TO DEFEND AGAINST<br />
KNOWN RISKS. TOD BEARDSLEY, RESEARCH DIRECTOR AT<br />
RAPID7 EXPLAINS HOW THE INDUSTRY IS ORGANISING<br />
AROUND CVE AND CNA<br />
Common Vulnerabilities and<br />
Exposures, or more simply CVE, is an<br />
international project that is built to<br />
catalogue and define cyber security<br />
vulnerabilities, weaknesses and flaws in<br />
systems, which in turn can provide potential<br />
attackers with access to something that<br />
should remain secure. Started in 1999 by<br />
the MITRE Corporation, a U.S. based,<br />
federally funded non-profit organisation,<br />
CVE aims to provide a common set of<br />
names and descriptions for software<br />
vulnerabilities.<br />
By referring to vulnerabilities according to a<br />
widely-accepted, commonly-understood<br />
naming scheme, security products can easily<br />
interoperate, and security practitioners can<br />
discuss, track and manage vulnerabilities in<br />
an unambiguous way. Before CVE became<br />
the common standard, the only thing<br />
vendors and security researchers could use<br />
to refer to vulnerabilities were proprietary<br />
naming conventions sourced from a wide<br />
variety of vendors and communities. These<br />
were sometimes conflicting as people<br />
referred to the Snort signature database,<br />
Full-Disclosure mailing list posts,<br />
PacketStorm exploits, X-Force IDs, Bugtraq<br />
IDs - the list goes on and on.<br />
Common names are especially useful when<br />
multiple vulnerability management solutions<br />
are in use in a single enterprise. Without<br />
CVE it's extremely difficult to correlate<br />
detection, mitigation, patches and other<br />
corrective measures between vendor<br />
solutions. Further complicating matters,<br />
every enterprise would be forced to<br />
implement their own custom translations<br />
between solutions.<br />
Occasionally vulnerabilities are published<br />
using names that are puns or poetic, such as<br />
Heartbleed, or as it is more accurately<br />
known, CVE-2014-0160. This is rare<br />
however, and the vast majority do not have<br />
such memorable names. Other<br />
vulnerabilities are composed of multiple,<br />
distinct issues, sometimes simultaneously and<br />
sometimes when further investigation reveals<br />
many related, but distinct, underlying<br />
software problems. Shellshock was one such<br />
example: while the initial fix for the identified<br />
vulnerability CVE-2014-6271 was initially<br />
thought to be effective it was found to be<br />
incomplete, and new variations of the<br />
Shellshock vulnerability were discovered and<br />
identified as CVE-2014-7169, CVE-2014-<br />
6277, as well as some others. Shellshock's<br />
ambiguous naming was exactly the sort of<br />
problem that CVE solves. If vulnerabilities<br />
are not assigned a unique name, users of<br />
security solutions run the risk of working with<br />
conflicting information about their own<br />
exposure and risk.<br />
CVE identifiers are not merely picked out of<br />
the air by security researchers or security<br />
product vendors. If they were, we'd be right<br />
back in the thick of ambiguity. CVE identifiers<br />
are issued by CVE Numbering Authorities<br />
(CNAs) with the MITRE Corporation being<br />
the primary editor and CNA for CVEs.<br />
Currently there are 47 CNAs of which 38<br />
are vendor-specific. Microsoft issues CVEs<br />
for Microsoft products, Google for Google<br />
and Android products, RedHat for RedHat<br />
Linux issues and so on. A few are not<br />
vendor-specific and can issue CNAs for<br />
software vulnerabilities that affect vendors<br />
who are not themselves CNAs. These<br />
CNAs tend to be government funded<br />
entities such as CERT/CC (the first Internetwide<br />
computer emergency response team)<br />
and Japan's JPCERT/CC, while others are<br />
established security research organisations<br />
including Rapid7 and Cisco's Talos Security<br />
Intelligence and Research Group.<br />
This federation of CNAs work to ensure<br />
that vulnerabilities are named and<br />
described in a consistent and logical way,<br />
and more importantly help us to keep up<br />
with the ever-quickening pace of<br />
discovered and disclosed software<br />
vulnerabilities.<br />
It's critically important that security<br />
practitioners have a clear understanding of<br />
the vulnerabilities in their environments and<br />
can distinguish between old and new<br />
vulnerabilities, allowing them to make<br />
informed decisions on threat management<br />
strategies that best serve their<br />
requirements. There are thousands of<br />
vulnerabilities published as CVEs each<br />
year, so the work that the CNAs do to<br />
ensure clear and concise names and<br />
definitions is an invaluable public service,<br />
keeping the internet safe and secure. NC<br />
16 NETWORKcomputing JANUARY/FEBRUARY 2017 @NCMagAndAwards<br />
WWW.NETWORKCOMPUTING.CO.UK