Mitre publishes dictionary of information security threats

Mitre publishes dictionary of information security threats

By William Jackson

GCN Staff

Mitre Corp., a government-funded Bedford, Mass., researcher, has published a searchable security dictionary of common vulnerabilities and exposures.

The CVE dictionary standardizes the names and descriptions of more than 600 information security threats.

CVE, maintained by Mitre and developed in conjunction with several other security companies and organizations, has a vendor-independent naming convention to ease database sharing and make security tools more interoperable.

'CVE is a scientific necessity,'' said Bill Fithen, senior analyst with the Computer Emergency Response Team at Carnegie Mellon University. 'We view it as a milestone in the science of information assurance.''

The dictionary, available on the Web at cvemitre.org, came out in September, and security companies immediately announced products compatible with its terminology.

The lack of common names and descriptions for common security vulnerabilities has made it difficult to share or compare information from the databases incorporated in various security tools. Security experts and systems administrators did not speak a common language.

One CVE entry, CVE-1999-0067, a Common Gateway Interface packet handling function that allows remote command execution through shell metacharacters, reportedly had 10 names and descriptions in various vendors' databases.

There was no easy way to tell when different databases referred to the same thing, and applying a fix was impossible if the administrator could not be sure what problem was involved.

The idea of writing a security dictionary came up in January during a workshop on security databases at Purdue University, said Pete Tasker, executive director of Mitre's security and information operations.

An editorial board with representatives from 19 organizations formed in May. Mitre maintains the database, moderates editorial board meetings and provides technical guidance.

'When we hit the point of about 1,000 entries, I expect CVE to be a very powerful tool,'' said Stephen Northcutt, director of intrusion detection programs at the SANS Institute of Bethesda, Md.

A common naming convention will let security tool databases share information and eventually improve their interoperability, Tasker said.

The CVE editorial board has members from Axent Technologies Inc. of Rockville, Md.; the Ballistic Missile Defense Organization; BindView Development Corp. of Houston; the CERT Coordination Center; Cisco Systems Inc. of San Jose, Calif.; CyberSafe Corp. of Seattle; GTE Internetworking of Cambridge, Mass.; Harris Corp. of Melbourne, Fla.; and IBM Corp.

Also on the board are representatives of Internet Security Systems Inc. of Atlanta; L-3 Network Security Systems LLC of Denver; Mitre; Network Flight Recorder Inc. of Woodbine, Md.; the NTBugtraq e-mail list; Purdue University; the SANS Institute; Web portal SecurityFocus.com; Silicon Defense of Arcata, Calif.; the University of California at Davis; and security consultant Adam Shostack.

inside gcn

  • artificial intelligence (ktsdesign/Shutterstock.com)

    Machine learning with limited data

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group