ad info
   personal technology

 custom news
 Headline News brief
 daily almanac
 CNN networks
 CNN programs
 on-air transcripts
 news quiz

CNN Websites
 video on demand
 video archive
 audio on demand
 news email services
 free email accounts
 desktop headlines

 message boards




Dictionary defines cyber-threats

October 4, 1999
Web posted at: 9:47 a.m. EDT (1347 GMT)

by Dorte Toft


(IDG) -- he first official dictionary defining terms used to discuss computer systems vulnerabilities has been released, and while it may be scary reading for laymen, it's been long-awaited by those working to defend against cyber-threats.

Those on the front lines have had to fight more than the dark side of the hacker community, people who try to break into systems by exploiting bugs. They also have had to fight confusion arising from the fact that each of those bugs goes by many different names, registered in many different databases by vendors and security organizations, according to Peter Tasker, executive director of security and information at Mitre Corp.
  Make your PC work harder with these tips
  Defending against cyberattack
  Year 2000 World
 Reviews & in-depth info at's personal news page's products pages
  Hack this!
  Security Corner: Resources
  Known attacks and exploits
  Questions about computers? Let's editors help you
  Subscribe to's free daily newsletters
  Search in 12 languages
 News Radio
 * Fusion audio primers
 * Computerworld Minute

Mitre, a nonprofit engineering company based in Bedford, Mass., is the standard bearer of the Common Vulnerabilities and Exposures (CVE) dictionary and also its electronic host. Thus far the dictionary contains 321 entries, mostly bugs in operating systems such as in Windows NT, various Unix flavors and Linux.

Tasker gave the example of a bug that opens the way for an attack on Unix systems. The bug had 10 different names, given by different organizations such as Cisco Systems, IBM and CERT (Computer Emergency Response Team), a government-supported organization at Carnegie Mellon University, in Pittsburgh.

Having one common language will result in better tools for detecting intrusion and analyzing how vulnerable a system is, Tasker said.

Also, it will be easier to provide "the right medicine for the right disease," said Christopher Klaus, founder and chief technology officer at the software vendor Internet Security Systems.

"It will help customers to handle their security better," Klaus said. Buyers of software currently have a tough job: When a piece of out-of-the-box software is bought, they often have to download several patches before the system is safe enough to run, he added.

"Many of the issues come from software vendors trying too rapidly to get the software out of the door," Klaus said. Also, there is a lack of knowledge about vulnerabilities in the development phase, he said.

Programmers may not understand the impact of their code when the product ships, and weaknesses may not come to light until somebody outside has made an analysis, Klaus said.

The SANS Institute, representing 62,000 systems administrators and security professionals, also applauded the initiative taken by Mitre. Currently, SANS members have to read though piles of papers in the hope of staying updated on vulnerabilities, said Stephen Northcutt, director of SANS' intrusion detection program.

"And when CVE hits the point of 1,000 entries, it will be a powerful tool," Northcutt said.

Steve Christey, senior software analyst at Mitre, has identified 663 issues, half of them included in CVE. The rest are still being discussed by the 19-member editorial board, which consists of software tool vendors and security experts from academia and other organizations. P> Achieving agreement has not been easy, because what might be seen as a threat by one, might be seen as a necessary function by others, according to Mitre.

So far Mitre has no intention of looking for statistics in the CVE content, but Tasker jokingly talked of instituting a not-very-welcome prize to the software vendor with most entries in CVE.

While SANS' Northcutt said that the CVE will have an educational influence, its authors hope that at least one group doesn't learn too much from it.

"We did not want to be accused of providing crackers with information. That is why we have limited it to being a dictionary, without cross references, without hyperlinks to where the problem is discussed in details," said Tasker.

Dorte Toft is a U.S. correspondent for the IDG News Service in Boston.

Don't blame Back Orifice for security problems
September 29, 1999
Senate report: Nation at risk of Y2K-related terrorism
September 22, 1999
Does your Web site reveal too much?
September 28, 1999

U.S. aims to fight attacks on financial systems
(InfoWorld Electric)
Intrusion-detection software is hot, but can it really stop hackers cold?
(Network World Fusion)
Intrusion detection is a matter of taste
(Network World Fusion)
Start-up's 'decoy' server helps track hackers
(Network World Fusion)
Defending against cyberattack
(Network World Fusion)
ISS upgrades intrusion-detection product suite
(Network World Fusion)
Hack this!
(InfoWorld Electric)
IT goes on Y2K security alert
(InfoWorld Electric)
Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.

Common Vulnerabilities and Exposures dictionary
Mitre Corp.
SANS Institute online
Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.
Enter keyword(s)   go    help

Back to the top   © 2001 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.