[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[CVEPRI] Editorial Board Teleconference Summary - September 27, 2001



I apologize for the delay in getting this out.

- Steve


Editorial Board Teleconference Summary - September 27, 2001
-----------------------------------------------------------

Participants
------------

Participants in the teleconference included:

  Stuart Staniford (Silicon Defense)
  David Mann (BindView)
  Ken Williams (esecurityonline.com)
  Pascal Meunier (Purdue CERIAS)
  Mike Prosser (Symantec)
  Andre Frech (ISS)
  Andy Balinsky (Cisco)
  Dana Foat (NSA)
  John Flowers (nCircle)
  Peter Mell (NIST)
  Scott Lawler (Veridian)
  Larry Oliver (IBM)
  Adam Shostack (Zero Knowledge)

MITRE participants included:

  Margie Zuk
  Bob Martin
  Steve Christey
  Dave Baker
  Barbara Pease
  Jeff Taylor
  Gerard Eldering


Content Update
--------------

Currently, there are 1604 entries and 1796 candidates.  563 legacy
candidates (i.e., candidates for issues discovered before 2000) were
proposed to the Board earlier in September.  There are approximately
5000 vulnerability submissions remaining, many of which describe
insecure configurations.  Configuration problems are difficult to
identify with CVE because configuration is system-dependent, and such
problems are not as well-studied as software implementation errors.
Teleconference participants were not aware of any detailed research in
the area of misconfiguration.  Some members of MITRE's content team
are currently trying to address Windows-based configuration problems.

Because of MITRE's emphasis on creating legacy candidates over the
summer, there is a 2-month backlog of candidates that need to be
created for more recent issues.  MITRE plans to create these
candidates by mid-October.

94 candidates are ready to be accepted as official entries, but they
are being delayed by Board members who are still reviewing them.
Reminder email messages will be sent to those members.  Several
hundred candidates do not have enough votes to be accepted as entries.
Many of these are from the recent group of 563 legacy candidates.

MITRE has set a goal of reaching 2002 total CVE entries by January 1,
2002.  This would require obtaining enough votes to accept 400 more
candidates.  This can be accomplished via focused votes on the legacy
candidates, many of which have high confidence and good documentation.
Also, CVE's data sources (see http://cve.mitre.org/cve/datasources.html)
could be provided with tailored voting ballots for candidates that are
known to be in the source's database.  Also, it is likely that several
hundred more new candidates will be proposed, reviewed, and accepted
in the next few months.  Finally, some CVE content decisions (CDs) are
expected to be finalized in the coming months.  When this happens,
candidates that are affected by those CDs can be accepted as official
CVE entries.  In addition, those CDs will be sent to the Editorial
Board mailing, and published on the CVE web site.  CVE candidates and
entries will be linked with their associated CDs in a format that has
not been determined yet, possibly in the form of a report.  There is
some interest in this information, as CDs provide guidelines for CVE
content.

Finally, MITRE will create a small number of high-level candidates
related to worms and viruses.  As this type of malicious code becomes
more prevalent, there is an increased interest in obtaining CVE names
for such code.  This is reflected in the number of keyword searches
for virus names on the CVE web site.  Also, people frequently ask
whether CVE covers viruses.  While MITRE does not plan to solve the
virus naming problem - as it's best left to the anti-virus community -
it seems appropriate to capture the opinions of Editorial Board
members, via their comments on existing candidates.  These candidates
could list the most well-known viruses, which would be found during
keyword searches.  CVE users could then view the commentary from
Editorial Board members.


MITRE's Technology Transfer Program
-----------------------------------

Gerard Eldering, the director of MITRE's Technology Transfer Program,
spoke to Board members about the program.  It is intended to create a
mechanism for MITRE to provide certain knowledge and intellectual
property for the benefit of the public as well as MITRE's sponsors.  A
web page is available at http://www.mitre.org/tech_transfer/

Some of MITRE's tech transfer activities have been in the area of
information security, including:

  - An open source release of the Spitfire tool, which integrates
    information from various vendor IDS products into a single
    interface (see
    http://www.mitre.org/news/articles_01/spitfire_openchan09_04_01.shtml)

  - Licensing use of the ANSSR risk analysis system to Harris
    Corporation (see
    http://www.mitre.org/news/articles_01/tech-proto-may01.shtml)

  - Release of the Egressor tool, which can be used to test egress
    filtering

This portion of the teleconference was intended to raise awareness
among Board members, since MITRE expects to be performing similar tech
transfer activities in the future,

Board members who have questions or concerns regarding MITRE's tech
transfer activities may contact Steve Christey, Margie Zuk
(mmz@mitre.org), and/or Gerard Eldering (eldering@mitre.org).


Other Editorial Board Business
------------------------------

Now that the roles and responsibilities have been finalized, and the
new member recruitment process has been identified, MITRE will begin
to add new members to the Board.  A private mailing list has been
created to discuss prospective members; notification will be sent to
current members soon.  Some members will also be leaving the Board in
the coming months.  Those who have made contributions to the CVE
Initiative, but who are not Emeritus members, will be identified as
"former contributing members."

MITRE plans to update the Editorial Board page on the CVE web site to
identify the role of each member.  MITRE is also considering
publicizing each member's tasks as well.


CVE Compatibility
-----------------

The new requirements document is almost complete.  It is composed of a
high-level requirements document and several "implementation
requirements" documents for specific types of CVE-compatible
capabilities such as services, IDS/scanners, and web sites.  This
provides flexibility in defining more narrow requirements for specific
capabilities, without requiring major changes to the base requirements
document.

As discussed in previous meetings, a major component of the CVE
compatibility evaluation process will require the vendor to answer a
questionnaire, which will provide specific details for how the vendor
has satisfied the requirements.  Now that the requirements are near
completion, the questionnaire is being developed.  Rationales for the
requirements are also being added.

Once the documentation is complete, MITRE will test the evaluation
process on some of its own internal projects, such as the CVE web
site.  MITRE plans to complete this phase in 1 month.  MITRE will then
extend the tests to several "early adopters" - external organizations
whose products already satisfy the requirements.  After that phase,
the process will be fully publicized, and the formal evaluation of
compatible products can begin.  Currently, there are 62 products or
services whose vendors have made declarations of their intentions to
make their products CVE-compatible.  12 other organizations are
working on declarations.

Bob Martin (ramartin@mitre.org) is the lead of the CVE compatibility
task.

During the teleconference, Board members discussed the amount of
pressure and customer requests that vendors are receiving for making
their products CVE-compatible.  The responses were mixed.  Some
members did not see an increasing number of customers asking for CVE
compatibility.  Others had large customers who requested the
capability, in order to help them link with other CVE-compatible tools
that they use.  In other cases, customers would provide the vendor
with a list of CVE names, and ask the vendor which of those CVE items
were addressed by the vendor's product.  Industry analyses that
recommend CVE compatibility as a desired feature (such as the Network
Computing comparisons of IDSes and scanners) only have a temporary
effect.

There was some discussion regarding an upcoming NIST document which
will recommend that government agencies prefer CVE-compatible products
over those that are not compatible.  Several Board members said that
the upcoming guidelines were the strongest impetus for them to adopt
CVE-compatibility.  The creation of these guidelines was prompted by
the CVE Advisory Council.  Once published, there will be a public
comment period.

Board members were asked what percentage of their database could be
mapped to CVE names.  This effectively measures how close CVE is to
providing complete coverage across products.  Members provided a wide
range of answers, between 40% and nearly 100% for each database.  Some
of the coverage can be limited when the database includes items that
do not satisfy the CVE definition of vulnerability or exposure.  This
can include various attack-related events recorded by intrusion
detection systems, which will be covered by CIEL.


Common Intrusion Event List (CIEL)
----------------------------------

Now that the roles and responsibilities have been finalized, the CIEL
working group will be formed shortly.  Interested Board members will
be added to a separate mailing list.

Some issues with respect to membership have arisen out of the CIEL
efforts.  Some companies with 2 Board members may want additional
people to join in order to support CIEL, but generally there is a
2-person limit per organization on the Editorial Board.  This could be
addressed by allowing members on the CIEL working group who are not on
the Editorial Board.  Alternately, the Editorial Board membership
limits could be extended to 3 people, if one of them is workin on
CIEL.

One teleconference participant asked whether the CIEL working group
will be a decision-making body.  This question will be addressed as
the working group grows.

MITRE presented a short update of its progress on CIEL.  Over the
summer, Bill Hill and Brian Caswell created a new version of CIEL.  In
September, Steve Christey met with Bill and Brian to evaluate that
version, and to map some signatures to CIEL entries.  Some
difficulties were encountered while doing the mappings.  The most
critical issue was that some CIEL entries overlapped.  As a result,
some IDS signatures could be mapped to 2 CIEL entries.  In addition,
the context fields - which provide greater levels of detail underneath
a CIEL entry - were insufficient to fully represent the related
signature.  At the very least, this indicates an issue with the
categories as currently chosen.  However, the MITRE team believes that
this sort of problem is likely to arise regardless of the
categorization scheme that is adopted within CIEL.  The MITRE team is
considering a significant change CIEL by adopting a scheme in which
CIEL names are formed out of combinations of features ("field=value"
pairs), as opposed to a taxonomical scheme which forms the basis of
the names.  These features would provide greater flexibility in
representing attacks.  Unfortunately, due to the events of September
11, the MITRE team has not been able to conduct follow-up work to
further refine this new approach.


Other Topics
------------

In recent months, MITRE has been working with a security company from
China who wishes to translate CVE to the Chinese language.  The
company plans to offer a fullly translated mirror of the CVE web site,
using several different Chinese character sets.  While MITRE does not
plan to actively search for other CVE translations at this time,
criteria have been devised to help determine qualified sites.

Finally, a teleconference participant asked about prioritization of
the content tasks, as the recent creation of legacy candidates has
introduced several new tasks.  It is recommended that Board members
prioritize their activities as follows:

- providing MITRE with information on remaining legacy submissions
  (these requests for consultation were sent a few days before the
  teleconference)

- tailored voting (e.g., MITRE will send voting "ballots" to its data
  sources for issues that are known to be in the source's database)

- voting on new or legacy candidates, based on the Board member's own
  priorities

Page Last Updated or Reviewed: May 22, 2007