Welcome to the latest edition of the CVE-Announce e-newsletter. This
email newsletter is designed to bring recent news about CVE, such as
new versions, upcoming conferences, new Web site features, etc. right
to your emailbox. Common Vulnerabilities and Exposures (CVE) is a list
or dictionary that provides common names for publicly known
information security vulnerabilities and exposures. CVE content
results from the collaborative efforts of the CVE Editorial Board,
which is comprised of leading representatives from the information
security community. Details on subscribing (and unsubscribing) to the
email newsletter are at the end.

Comments: cvemitre.org

-------------------------------------------------------
CVE-Announce e-newsletter/November 5, 2002
-------------------------------------------------------

FEATURE STORY:

CVE Names Included in Consensus List of "Top Twenty" Internet Security
Threats

The recently updated Twenty Most Critical Internet Security
Vulnerabilities, a SANS/FBI consensus list of the most critical
problem areas in Internet security, was released on October 7,
2002. The list includes CVE names and CVE candidates (CANs) to
uniquely identify the vulnerabilities it describes. This will help
system administrators use CVE-compatible products and services to help
make their networks more secure. The introduction page also includes a
note that describes what CVE is, provides a link to the CVE Web site,
and states: "The CVE and CAN numbers reflect the top priority
vulnerabilities that should be checked for each item [on the consensus
list]."

In addition, several tools are now available that scan for the
vulnerabilities included in the SANS/FBI top twenty list. A PDF
describing the five organizations offering the tools may be downloaded
from the SANS Web site. All of the organizations identified and their
scanners are listed on the CVE-Compatible Products and Services page:
Qualys, Internet Security Services, Foundstone, Nessus, and Advanced
Research Corporation. The scanners are all CVE-compatible and use CVE
names and CVE candidates (CANs) to uniquely identify the
vulnerabilities described in the top twenty list.

SANS is a member of the CVE Editorial Board and its education and
training materials are listed on the CVE-Compatible Products and
Services page.

LINKS:

Twenty Most Critical Internet Security Vulnerabilities -
http://www.sans.org/top20/

Scanner tools for top twenty list (PDF) --
http://www.sans.org/top20/tools.pdf

CVE List - http://cve.mitre.org/cve

CVE Terminology -- http://cve.mitre.org/about/terminology.html

CVE-Compatible Products and Services -- http://cve.mitre.org/compatible/

-------------------------------------------------------------
HOT TOPIC:

Apple Computer Includes CVE Names in Security Advisories

CVE Recommended by NIST in Special Publication 800-51 "Use of the
Common Vulnerabilities and Exposures (CVE) Vulnerability Naming
Scheme"

The USA National Institute of Standards and Technology (NIST) released
a September 2002 special document entitled "NIST Special Publication
(SP) 800-51, "Use of the Common Vulnerabilities and Exposures (CVE)
Vulnerability Naming Scheme" that recommends the use of the CVE List
and CVE-compatible products and services by U.S. agencies. A draft of
this document was issued for public comment and review in January.

Specifically, the final publication "recommends that federal agencies
make use of the Common Vulnerabilities and Exposures (CVE)
vulnerability naming scheme by (1) giving substantial consideration to
the acquisition and use of security-related IT products and services
that are compatible with CVE; (2) monitoring their systems for
applicable vulnerabilities listed in CVE; and (3) using CVE names in
their descriptions and communications of vulnerabilities."

The document is available on the NIST Special Publications page of the
NIST Computer Security Resource Center (CSRC) Web site. NIST is a
member of the CVE Editorial Board, and the NIST ICAT metabase is
listed on the CVE-Compatible Products/Services page.

LINKS:

"NIST Special Publication (SP) 800-51, "Use of the Common
Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme" --
http://csrc.nist.gov/publications/nistpubs/800-51/sp800-51.pdf

National Institute of Standards and Technology (NIST) --
http://www.nist.gov/

CVE-Compatible Products and Services -- http://cve.mitre.org/compatible/

-------------------------------------------------------------
UPCOMING EVENT!

CVE to Host Booth/Present Paper at IMN Cyber Security in the Financial
Sector Summit, November 20-22

MITRE is scheduled to host a CVE exhibitor booth at the IMN Cyber
Security in the Financial Sector Summit at the Crowne Plaza Times
Square, New York, New York, USA, November 20-22. Robert A. Martin, CVE
Compatibility Lead, will present his paper on CVE entitled Integrating
Your Information Security Vulnerability Management Capabilities
through an Industry Standard (CVE)" on November 22nd. Several
companies with CVE-compatible products/services will also be
exhibiting throughout the exposition.

This summit and exposition will expose the CVE Initiative to
professionals from U.S. government agencies, state and local
governments, and the private sector responsible for protecting the
critical infrastructures of the financial sector.

Visit the CVE Calendar page at http://cve.mitre.org/news/calendar.html
for links to this and other upcoming events.

-------------------------------------------------------------
Also in this issue:

* TippingPoint Technologies Makes CVE Compatibility Declaration

* CVE Presents Paper at 21st Digital Avionics Systems Conference

* CVE Presents Briefing at Open Source Security Summit

* CVE Presents Paper at NDIA 5th Annual Systems Engineering Conference

* CVE Editorial Board Holds Teleconference

* Qualys Makes CVE Compatibility Declaration

* Archer Technologies LLC Makes CVE Compatibility Declaration

* CVE List Exceeds 5,000 Security Issues

* CVE Presents Paper at Quality Week Conference

* CVE Hosts Booth/Participates on Discussion Panels at SECTOR 5 Conference

* CVE Included in TechRepublic Article about Preventing and Dealing with
Network Hacks

* IntruVert Networks, Inc. Makes CVE Compatibility Declaration

* CVE Senior Advisory Council Holds Meeting

Read these stories and more news at http://cve.mitre.org/news

-------------------------------------------------------------
Subscribe to "CVE-Data-Update" for Technical Updates

Intended for technical users of CVE such as vulnerability database
maintainers or those who require timely notification of new
candidates, the "CVE-Data-Update" e-newsletter provides subscribers
with reports of new CVE entries and/or candidates and other detailed
technical information regarding CVE. Subscribe now at
http://cve.mitre.org/signup/register.html .

---------------------------------------------------------------
Details + Credits

Managing Editor: Steve Christey, Information Security Technical
Center. Writer: Bob Roberge, Corporate Communications. The MITRE
Corporation (www.mitre.org) maintains CVE and provides impartial
technical guidance to the CVE Editorial Board on all matters related
to ongoing development of CVE.

To unsubscribe from the CVE-Announce e-newsletter, open a new email
message and copy the following text to the BODY of the message
"SIGNOFF CVE-Announce-list", then send the message to:
listservlists.mitre.org. To subscribe, send an email message to
listservlists.mitre.org with the following text in the BODY of the
message: "SUBSCRIBE CVE-Announce-List".

For more information about CVE, visit the CVE Web site at
http://cve.mitre.org or send an email to cvemitre.org.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]