CVE-related events at SANS-NS '99
Below is my writeup of various events that occurred at last week's
SANS rollout. I believe it was highly successful, but it also
emphasized how much work we have left to do.
Other Board members who attended SANS, please send your own comments
to the list so that we can begin to prioritize our next activities.
******* CVE at SANS ********
CVE in SANS addresses
1) Dr. Jeffrey Hunker, Senior Director for Critical Infrastructure at
the White House National Security Council, gave a keynote address that
discussed the CVE Initiative as a positive step toward effective
collaboration across the community.
2) Steve Northcutt and Alan Paller both described CVE and its use
several times during various SANS courses.
1) Throughout the two-day vendor exhibit, anywhere from 1 to 6 Board
members were present at the CVE Booth. Each participant wore their
own "company uniform" and a "We Speak CVE" button.
2) "Do you speak CVE?" buttons were made available to the attendees.
While we don't know how many were given out, I believe that between
1/10 and 1/5 of all attendees were wearing the button by the end of
the second day.
CVE in IDNet
1) New vulnerabilities or exposures which were successfully exploited
during IDNet were assigned new CVE candidate numbers. While I am
still obtaining the details for some entries, I expect to have 2 or 3
new candidates as a result of IDNet.
2) Two presentations of CVE were given during the Intrusion Detection
Demonstration Network (IDNet), a test network which allowed "hackers"
to attempt to break into some systems while various vendors' IDSes
watched for the intrusions. Thanks go to Chris Pettit (IDNet chair)
and Steve Northcutt for providing these time slots.
3) During these times, attacks were conducted that were related to
about half of the original 25 Interoperability Demo CVE entries.
Thanks go to Eric Cole, Marty Roesch, and Dave Elfering who performed
4) At a BoF summarizing IDNet, I gave another discussion of CVE and
presented how well the IDses detected 8 of the CVE-related attacks
(the analysis revealed some gaps). These results were also useful to
at least some of the participating IDS vendors. This BoF brought up a
number of related technical and organizational issues that I will
describe in the next email.
Consultations with Interested Parties
1) Throughout the SANS conference, Dave Mann and I, and no doubt
others, had a few consultations with parties who were interested in
participating in CVE (e.g. tool vendors and consulting agencies). The
excitement that CVE has generated, and the interests of many
organizations in participating, requires that we re-evaluate the
structure of the Board, membership process, roles and requirements,