cvemitre.org
Date: Tue Nov 16 2004 - 16:02:27 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Welcome to the latest edition of the CVE-Announce e-newsletter. This email
newsletter is designed to bring recent news about CVE, such as new
versions, upcoming conferences, new Web site features, etc. right to your
emailbox. Common Vulnerabilities and Exposures (CVE) is a list or
dictionary that provides common names for publicly known information
security vulnerabilities and exposures. CVE content results from the
collaborative efforts of the CVE Editorial Board, which is comprised of
leading representatives from the information security community. Details
on subscribing (and unsubscribing) to the email newsletter are at the end.

Comments: cvemitre.org

-------------------------------------------------------
CVE-Announce e-newsletter/November 15, 2004
-------------------------------------------------------

Contents:

1. Feature Story
2. Hot Topic #1
3. Hot Topic #2
3. Hot Topic #3
4. Upcoming Event!
5. Latest Compatible Products/Services
6. Also in this Issue
7. Details/Credits + Subscribing and Unsubscribing

FEATURE STORY:

20 Additional Information Security Products/Services Now Registered as
Officially "CVE-Compatible"

Twenty information security products and services from nine organizations
are the latest to achieve the final stage of MITRE's formal CVE
Compatibility Process and are now officially "CVE-compatible." Each
product is now eligible to use the CVE-Compatible Product/Service logo,
and their completed and reviewed "CVE Compatibility Requirements
Evaluation" questionnaires are posted as part of their product listings on
the CVE-Compatible Products and Services page on the CVE Web site.
Fourteen products from were previously declared officially compatible in
February.

The following products are now registered as officially "CVE-Compatible":

Citadel Security Software Inc.
   - Hercules

DragonSoft Security Associates, Inc.
   - Dragonsoft Secure Scanner

eEye Digital Security
   - Retina Network Security Scanner

Internet Security Systems, Inc.
   - X-Force Database
   - X-Force Alerts and Advisories
   - Internet Scanner
   - System Scanner
   - RealSecure Network 10/100 and Network Gigabit
   - RealSecure Server Sensor
   - SiteProtector

nCircle Network Security, Inc.
   - IP360 Vulnerability Management System

PredatorWatch, Inc.
   - PredatorWatch Auditor 16 and Update Service
   - PredatorWatch Auditor 128 and Update Service
   - PredatorWatch Auditor Enterprise and Update Service

SAINT Corporation
   - SAINTbox
   - WebSAINT

Trend Micro, Inc.
   - Trend Micro Vunerability Assessment

Symantec Corporation
   - DeepSight Alert Services
   - SecurityFocus Vulnerability Database

Venus Information Technology, Inc.
   - Cybervision Intrusion Detection System

Use of the official CVE-Compatible logo by these organizations will allow
system administrators and other security professionals to look for the
logo when adopting vulnerability management products and services for
their enterprises. The compatibility process questionnaires will help
end-users compare how different products satisfy the CVE compatibility
requirements, and therefore which specific implementations are best for
their networks and systems.

An awards ceremony was held tonight in the Vendor Track Presentation
Theater at the Computer Security Institute's (CSI) "31st Annual Computer
Security Conference and Exhibition," November 8, 2004, at the Marriott
Wardman Park Hotel, in Washington, D.C., USA, to present Certificates of
CVE Compatibility to the organizations that have achieved this final
phase. Lawrence C. Hale, the Deputy Director of the National Cyber
Security Division, U.S. Computer Emergency Readiness Team (US-CERT) at the
Department of Homeland Security, presented the awards. Organizations
participating in the ceremony included Citadel Security Software Inc.;
eEye Digital Security; Internet Security Systems, Inc.; nCircle Network
Security, Inc.; PredatorWatch, Inc.; SAINT Corporation; and Symantec
Corporation.

For additional information about CVE compatibility and to review all
products and services listed, visit the CVE Compatibility Process and
CVE-Compatible Products and Services pages.

LINKS:

CVE Compatibility Process - http://cve.mitre.org/compatible/process.html

CVE-Compatible Products and Services - http://cve.mitre.org/compatible/

-------------------------------------------------------------
HOT TOPIC #1:

CVE Compatibility Milestone: 200 Products and Services Now Listed!

The CVE Initiative achieved a major milestone with 202 information
security products and services now listed in the CVE-Compatible Products
and Services section of the CVE Web site. These 200 products have been
declared CVE-compatible or are in the process of being made compatible by
125 organizations from industry, government, and academia from around the
world. Of these, 14 products/services from 10 organizations have achieved
the final phase of MITRE's formal CVE Compatibility Process and are now
officially CVE-compatible. These are indicated in the CVE-Compatible
Products and Services section with the CVE-Compatible product/service
logo.

"CVE-compatible" means that a product or service uses CVE names in a way
that allows it to cross-link with other repositories that also use CVE
names, as documented in the CVE compatibility requirements. Each item
listed on the CVE Web site includes a link to the organization's homepage,
the product or service name, type of product, link to the product
homepage, and a notation of the specific point in the CVE Compatibility
Process each product or service has reached. Many organizations have
multiple products and services listed. For additional usability, they are
also listed by product type, product name, organization, and country.
Product types include vulnerability databases; security archives and
advisories; vulnerability assessment and remediation; intrusion detection,
management, monitoring, and response; incident management; data and event
correlation; educational materials; and firewalls.

Visit the CVE-Compatible Products and Services page to review information
about CVE compatibility, and on all 200 information security products and
services.

LINKS:

CVE-Compatible Products and Services - http://cve.mitre.org/compatible/

CVE Compatibility Process - http://cve.mitre.org/compatible/process.html

CVE Compatibility Requirements -
http://cve.mitre.org/compatible/requirements.html

-------------------------------------------------------------
HOT TOPIC #2:

5-Year Anniversary Q&A with CVE Co-Founder David Mann

Five years ago MITRE Senior Engineer David Mann co-founded CVE with
current Editor of the CVE List Steve Christey. Mann left MITRE not long
after the public launch of CVE to pursue other opportunities but has since
returned, allowing for a unique insider/outsider view of the CVE
Initiative.

Q: From a vendor perspective, what's the value of CVE to the information
security community?

Mann: At BindView, we really tried to focus on things that would provide a
direct business value for our customers. In terms of information security
solutions, the business needs that our customers mentioned most often were
to decrease their operational costs, manage their IT environment at an
acceptable level of risk, and meet their regulatory obligations. CVE
clearly delivered on the first of these goals by allowing users to more
quickly correlate vulnerability information. By enabling automated data
correlation and better clarity for emerging threat information, CVE also
enables organizations to do a better job of managing risk. Moving forward,
I believe it will be important to clarify how CVE helps with regulatory
compliance-for example, FISMA, DISTCAP, HIPAA-which should be easier as
CVE grows to cover configuration errors.

Q: What's the biggest difference from what you first imagined for CVE to
what it is today?

Mann: By far it is the difficulty in defining what a vulnerability
actually is. While CVE identifiers have immediate value for end users, I
think one of the big achievements of the effort have been Steve Christey's
"Content Decisions", which try to define how to count issues. Perhaps a
good analogy is the development of the Dewey Decimal system for organizing
and cataloging book. Actually, I think the vulnerability cataloging
problem is even harder than dealing with books.

Q: What are your thoughts on the success of CVE within the community, for
instance with the number of CVE-compatible products, number of
organizations including CVE names in their advisories, and so on?

Mann: It's gratifying, humbling and at times, and frustrating. A mentor
once advised me to look for problems, not solutions. CVE was definitely
born out of operational pains that Steve and I and others were trying to
solve for MITRE's Security Committee. So, when I see CVE numbers in
advisories or see the growing list of compatible products, it confirms to
me that the problems we were wrestling with were shared by others in the
security community. We were just fortunate enough to state the problem in
the right forum and context. The idea of assigning unique identifiers
quickly took on a life of its own.

The frustrating aspect of this is that the continued growth of CVE is also
an indication that the vulnerability management problem is still with us
and arguably, continuing to get more complicated and difficult to manage.

Q: Biggest surprise for you from CVE?

Mann: I get surprised every time I see a CVE identifier in print. I still
remember a hallway conversation with Jim Williams, who was one of the
senior people in my department (and who has since retired) [at MITRE]. I
was describing some of the problems that we were running into in our
vulnerability management efforts. More accurately, I was ranting and
raving about "how things should be" in a more perfect world. Jim told me
about a conference that was coming up and encouraged us to write up a
paper and to submit it. I mean, he really, really encouraged us.

Now when I see CVE identifiers, I always think of Jim and am reminded of
the impact that a mentor can have. It's quite a leap from a hallway rant
session to a commonly used standard. Jim easily could have nodded politely
and changed the subject. Instead, he invested a bit of time, energy and
encouragement and it had very surprising results.

Q: What are your thoughts on the future of CVE?

Mann: The discipline of vulnerability management has been evolving in the
past four years and so I think CVE will need to evolve with it. Most
obviously, traditional network-based vulnerability assessment has largely
been replaced with hybrid solutions that require credentials on the end
system being tested. This move goes hand-in-hand with a greater emphasis
on configuration settings (called "exposures" in CVE-speak), which require
credentialed-based solutions. At the same time, the whole patch management
market has emerged, again using credentialed mechanisms with a more narrow
focus. Vulnerability management has thus grown to include all three of
these: vulnerabilities (software flaws), patches, and configuration
management. For CVE to continue its relevance in this larger vulnerability
management context, it must grow to include all three. It's a challenging
problem. From a business point of view, I should add that regulatory
compliance will continue to refocus vulnerability management efforts more
on configuration and patch issues.

Another area of potential growth is the issue of directories.
Increasingly, the conceptual objects that security managers need to
lock-down aren't defined by the OS. Instead, they are defined by the
directory, or worse, by some overlap between the OS and the directory. For
example, the concept of "effective rights" tries to define what rights a
user has based both on the setting in the OS and on the setting in the
domain. This will force CVE to consider the question of moving from OS
level vulnerabilities and exposures and to include directory level
vulnerabilities. Again, regulatory compliance is going to be a driver in
this regard, as it demands that organizations account for what their users
can and can't do.

LINK:

CVE List - http://cve.mitre.org/cve

-------------------------------------------------------------
HOT TOPIC #3:

CVE Names Included in Consensus List of "Top Twenty" Internet Security
Threats

The recently updated Twenty Most Critical Internet Security
Vulnerabilities, a SANS/FBI consensus list of the most critical problem
areas in Internet security, was released on October 8, 2004. The list
includes CVE names with both entry and candidate status to uniquely
identify the vulnerabilities it describes. This will help system
administrators use CVE-compatible products and services to help make their
networks more secure.

In addition, the introduction page includes a note that describes what CVE
is, provides a link to the CVE Web site, and states: "The CVE and CAN
numbers reflect the top priority vulnerabilities that should be checked
for each item [on the consensus list]."

SANS is a member of the CVE Editorial Board and its education and training
materials are listed on the CVE-Compatible Products and Services page.

LINKS:

SANS/FBI Twenty Most Critical Internet Security Vulnerabilities List -
http://www.sans.org/top20/

CVE-Compatible Products and Services - http://cve.mitre.org/compatible/

---------------------------------------------------------------
UPCOMING EVENT:

MITRE to Host CVE/OVAL Booth at "LISA 2004"

MITRE is scheduled to host a CVE/OVAL exhibitor booth at "LISA 2004,"
November 17 - 18, 2004, at the Atlanta Marriott Marquis in Atlanta, GA,
USA. The conference will expose CVE and OVAL to system administrators and
network professionals from industry, academia, and government. In
addition, organizations with CVE-Compatible Products and Services will
also be exhibiting.

Visit the CVE Calendar page for information about this and other upcoming
events. Contact cvemitre.org to have CVE present a briefing or
participate in a panel discussion about CVE, OVAL, and/or other
vulnerability management topics at your event.

LINKS:

CVE Calendar - http://cve.mitre.org/news/calendar.html

CVE-Compatible Products and Services - http://cve.mitre.org/compatible/

-------------------------------------------------------------
LATEST COMPATIBLE PRODUCTS/SERVICES:

* PredatorWatch, Inc. declared that its vulnerability assessment appliance
   and update service for small to medium enterprises, PredatorWatch
   Auditor 16 and Update Service; its vulnerability assessment appliance
   and update service for small mobile networks, PredatorWatch Auditor 128
   and Update Service; and its vulnerability assessment appliance and
   update service for large networks, PredatorWatch Auditor Enterprise and
   Update Service; are CVE-compatible.

* ThreatGuard, Inc. declared that its vulnerability management system,
   ThreatBox Network Security Appliance, is CVE-compatible.

* Backbone Security.com, Inc. declared that its network appliance and
   managed service, Ribcage 2100, is CVE-compatible.

* NetMon2, LLC declared that its security information management/security
   event monitoring (SIM/SEM) product, NetMonSecure, is CVE-compatible.

Find more information on these and other products at
http://cve.mitre.org/compatible/

-------------------------------------------------------------
ALSO IN THIS ISSUE:

* Senior Advisory Council Holds Meeting

* MITRE Hosts CVE/OVAL Booth at "FIAC 2004"

* MITRE Hosts CVE/OVAL Booth at "SANS Network Security 2004"

Read these stories and more news at http://cve.mitre.org/news

---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing

Managing Editor: Steve Christey, Information Security Technical Center.
Writer: Bob Roberge, Corporate Communications. The MITRE Corporation
(www.mitre.org) maintains CVE and provides impartial technical guidance to
the CVE Editorial Board on all matters related to ongoing development of
CVE.

To unsubscribe from the CVE-Announce e-newsletter, open a new email
message and copy the following text to the BODY of the message "SIGNOFF
CVE-Announce-list", then send the message to: listservlists.mitre.org. To
subscribe, send an email message to listservlists.mitre.org with the
following text in the BODY of the message: "SUBSCRIBE CVE-Announce-List".

Copyright 2004, The MITRE Corporation. CVE and the CVE logo are registered
trademarks of The MITRE Corporation.

For more information about CVE, visit the CVE Web site at
http://cve.mitre.org or send an email to cvemitre.org.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]