[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: An interesting bit of CVE history...



Betsy,

 

I have done an article for internal purposes that some on this list have seen drafts of during its development. At the time it was for internal education but has been considered for external publication. It might need some minor cleanup to remove internal related items but other than that …

 

Thank you, Gracias, Grazie,  谢谢, Merci!, Спасибо!, Danke!ありがとうधन्यवाद!

-- 

Kent Landfield

+1.817.637.8026

kent_landfield@mcafee.com

 

From: "Kulick, Betsy" <betsy.kulick@hq.dhs.gov>
Date: Friday, May 11, 2018 at 11:01 AM
To: Kent Landfield <Kent_Landfield@McAfee.com>, "Coffin, Chris" <ccoffin@mitre.org>, CVE Editorial Board Discussion <cve-editorial-board-list@mitre.org>
Subject: RE: An interesting bit of CVE history...

 

CVE Team: I have not met any of you, but am part of the DHS team helping to manage the contract under which this valuable work is conducted. And of course the CDM program uses the CVEs to help score agency risk posture, so we are a consumer as well.

 

I found the deck fascinating in terms of how long these challenges have existed, and note the remarkable progress in addressing some of them in the last 18 years (how time does fly).

 

The CVE story is interesting in terms of industry/academia/government partnership. Has anyone done a history of it for publication in any trade pubs? If not, I think it would be a worthwhile topic and would welcome any suggestions for input.

 

No need to “Reply All”, so as not to clog up inboxes.

 

Thanks again for the valuable service you provide.

 

Betsy Kulick, CISSP

Continuous Diagnostics and Mitigation

Deputy Program Manager

U.S. DHS/CS&C/NSD

Phone: 703-235-4255/ Mobile: 202-510-3275

Email: betsy.kulick@hq.dhs.gov

Supporting the DHS Mission: With honor and integrity, we will safeguard the American people, our homeland, and our values.

 

From: Landfield, Kent [mailto:Kent_Landfield@McAfee.com]
Sent: Friday, May 11, 2018 10:54 AM
To: Coffin, Chris <ccoffin@mitre.org>; CVE Editorial Board Discussion <cve-editorial-board-list@mitre.org>
Subject: An interesting bit of CVE history...

 

I ran across this.  Sort of interesting as to how far we have come from then to our current crossing of the 100,000 mark…. Slide #8 has current members highlighted by me in red. ;)

 

Thank you, Gracias, Grazie,  谢谢, Merci!, Спасибо!, Danke!ありがとうधन्यवाद!

-- 

Kent Landfield

+1.817.637.8026

kent_landfield@mcafee.com

 

From: "Coffin, Chris" <ccoffin@mitre.org>
Date: Thursday, May 10, 2018 at 2:42 PM
To: CVE Editorial Board Discussion <cve-editorial-board-list@mitre.org>
Subject: CVE Board Meeting Summary - 2 May 2018

 

CVE Board Meeting 2 May 2018

Board Members in Attendance

William Cox (Synopsys)

Beverly Finch (Lenovo)

Kent Landfield (McAfee)

Scott Moore (IBM)

Pascal Meunier (CERIAS/Purdue University)

Kurt Seifried (RedHat)

Dave Waltermire (NIST)

Andy Balinsky (Cisco)

 

Members of MITRE CVE Team in Attendance

Chris Coffin

Christine Deal

Jonathan Evans

Joe Sain

George Theall

 

Agenda

2:00 – 2:10: Introductions, action items from the last meeting – Chris Coffin

2:10 – 2:30: Working Groups 

  • Strategic Planning – Chris Coffin
  • Automation – Chris Johnson, Dave Waltermire

2:30 – 2:50: CNA Update

  • DWF – Kurt Seifried
  • MITRE – Jonathan Evans, Nick Caron

2:50 – 3:15: Takeaways from RSA Conference – Joe Sain

3:15 – 3:30: Board Charter Update Status and Next Steps – Chris Coffin

3:30 – 3:50: Open Discussion

3:50 – 4:00: Action items, wrap-up – Chris Coffin

Review of Action Items from Last Meeting

Previous Action Item: Send email to the Board list to get opinions on a potential Charter update that would allow opening WG participation to anyone, not just Board members and CNAs. Is a Charter update needed to describe this or does the Board feel this is already implied?

  • Status: Sent email on 5/2. Dave Waltermire thinks the fact that this is up for discussion signifies a necessity to add clarification in the Charter(s). Should the clarification be in each WG Charter or the overarching Board Charter? Dave suggests the verbiage in the Board Charter say something like: “When forming a working group, the individual WG Charter will indicate the participation model of the working group.” It’s okay to indicate a default position that, unless otherwise stated, the WG will be open to the public. Group decided to live edit the Charter; edited version will go out for a review and vote (review period between today and Sunday; voting period begins Monday, May 7 and will last two weeks).

 

Previous Action Item: MITRE to talk to Kurt about DWF resources and helping him where needed.

  • Status: Will setup meeting this week or next.

 

Previous Action Item: Jonathan and Chris to discuss getting the Board some of the raw data that informs CNA report cards.

  • Status: Done.

 

Previous Action Item: MITRE will send an email to the Board to ask them for input regarding the value of assigning CVE IDs for older vulnerabilities or vulnerabilities that will never be patched.

  • Status: Not yet done.
  •  

Previous Action Item: MITRE will communicate with the CNAs about the tagging of reserved CVE IDs with the CNA name. The pros and cons of tagging or not tagging will also be included and CNAs will be encouraged to add their thoughts and concerns.

  • Status: Not yet done.

 

Agenda Items

Board Working Groups

Strategic Planning Working Group (Kent Landfield)

ISSUES: Walked through some of the updates to the roles presentation; Chris Levendis wants to ensure we are on the right path (provide objectives, etc.). The main changes to be done to the slides involve updating the process flows. The need for an ID allocation service was discussed—would it be better to assign a block that never changes for different CNAs? Jonathan Evans refers to them as “year over year” blocks and the “prefix model.” If we were to go with something like that, it does away with the need for an ID allocation service.

There is a need to encourage “good behavior” and discourage “bad behavior” with regard to using and publishing CVE IDs.

ACTIONS: Put some use cases together so that the problem statement is well articulated and then send out to the Board.

 

BOARD DECISIONS: N/A

 

Automation Working Group (Chris Johnson / Chris Coffin)

ISSUES: An action item that came out of Monday’s Automation Working Group meeting was to send out charters for JSON format and CNA registry, as well for as the AWG itself. Chris Johnson would like to receive approval from the Board  that it represents the necessary AWG activities. Project repos have been set up on GitHub and we will build those out. The changes to the JSON format that were requested for NVD were implemented (name attributes, changes to how white space is being handled). NVD is in the process of sending out new code to enable the generation of CVE list from repository rather than allitems.xml file.

There was a discussion on outreach—as participation is increased, who would be appropriate candidates for participation in the AWG? Also discussed, in preparation for spinning up the groups, what sort of documentation do you we need to explain our processes (channels for participation, access to GitHub account, POCs, user stories, reporting, etc.). Kurt provided sample documentation, so we have some examples to use. We also talked a little about issue management and communication mechanisms, which can be added to the processes document. 

ACTIONS: Chris Johnson will forward the email for distribution to the Board regarding the review and approval of the AWG and AWG Project charters. Chris Johnson will put together a draft processes document and put on GitHub for review.

BOARD DECISIONS: N/A

 CNA Updates

DWF (Kurt Seifried)

STATUS: No updates

ISSUES/DISCUSSION: N/A

ACTIONS: N/A

MITRE (CVE Team)

STATUS: Two requests to become CNAs—one was Xen (referred to DWF) and one was Teltonica (IoT maker in Lithuania). Jonathan will try to get more information from them. No new CNAs since last week.

DISCUSSION: N/A

ACTIONS: None

Takeaways from RSA Conference (Joe Sain)

DISCUSSION: Joe had an Expo pass and spent all his time on the floor. Looks like an increasing number of companies are looking at analytics platforms that look at existing data feeds—fusing that data together rather relying strictly on their own data and intelligence. There were some interesting things in the health care sector, including a company, Cynerio, that performs passive network discovery, device categorization, and anomaly detection on hospital networks. We are also beginning to see an increasing number of Industrial Security Control (ISCS) vendors at the conference. People are that we spoke to were very positive about CVE, and there were about 20 companies that expressed interest in the CNA program and the possibility of becoming a CNA.

ACTION: N/A

Open Discussion

Amazon Alexa Issue (Chris Coffin)

DISCUSSION: Issue with Amazon Alexa that it may record information and conversations you don’t want recorded. There is an IoT and SaaS issue here. Does this necessitate a CVE? He has had communication with Amazon about this topic; they are not looking at this as a CVE (they’d rather it not be released). Kurt has done some research—red LED light should be lit at the top if not recording. As a user, do I have any control over the microphone? You should get an alert and allow it or not. In this case, with the way Alexa is used and deployed, you’re not staring at it. Alexa has a very sensitive microphone. It can record if you’re not in the same room—and you can’t see the LED light, which indicates if it’s recording or not. Amazon is saying they will fix this to some degree—can we change the behavior of Alexa to mitigate the problem? Amazon thinks yes. Would the CVE be against Alexa, or a component of that device?

The group consensus: Kent—not ready to say it’s a vulnerability; Dave said the same. Beverly doesn’t have an opinion yet. Chris Johnson needs to look at the issue more closely. Pascal is convinced it’s a vulnerability but is willing to entertain the possibility that it doesn’t need a CVE (but he thinks it does). Chris Coffin thinks similarly to Jonathan--we should write the CVE specifically for the re-prompt feature. The consensus from the Board members on the call is that if a CVE is issued, it needs to be written with a very narrow description.

ACTION:

This issue will be summarized in a post to the CVE Board email list for further discussion.

Summary of Action Items

  • The Amazon Alexa vulnerability discussion will be summarized in a post to the CVE Board email list (MITRE)
  • Development of the user stories will continue, and the briefing charts will be updated (MITRE).
  • Email to be sent to the CNA list regarding the establishment of the CNA Working Group after the CVE Charter has been approved (MITRE).
  • Email to the Board regarding the beginning of step 4 of the Charter update process (MITRE).
  • Jonathan Evans to contact JPCERT to determine their progress as a Root CNA, including who from JPCERT is going to work with the board on the ROOT CNA.
  • Set a date for the review of the Automation Working Group Charters by the CVE Board.

Significant Decisions:

None

 


Page Last Updated or Reviewed: May 16, 2018