Rack of Ethernet switches.

Security-Related RFCs and Mitre Nomenclature Projects

Security-Related RFCs

"RFC" = "Request For Comment". These documents define networking protocols and frequently discuss security issues. To access them, see the current complete list.

Learn the language:
RFC 1208 A Glossary of Networking Terms
RFC 1983 Internet Users' Glossary
RFC 4949 Internet Security Glossary
Understand and carry out "best practice":
RFC 2196 Site Security Handbook
RFC 2350 Expectations for Computer Security Incident Response
RFC 2504 Users' Security Handbook
RFC 3631 Security Mechanisms for the Internet
RFC 6040 Security Architecture for the Internet Protocol
RFC 4778 Current Operational Security Practices in Internet Service Provider Environments

Mitre Nomenclature Projects

The U.S. government has contracted Mitre to define information nomenclature. Researchers, the IT industry, the anti-virus industry, and more need to have a common language to describe threats, defenses, and more. I was teaching a UNIX security course in the Washington DC area when these nomenclature projects came up. A student who worked for a U.S. Government agency said, "Oh, that sounds like such a Mitre project!", meaning that it was complicated, performed for the U.S. Government in return for vast sums of money, and was just the organization of actual work done by others. But these projects are useful to give the information security community a more useful common language.

NVD — National Vulnerability Database
Ties together many of these nomenclature projects, plus attempts to automate (or at least standardize) systems for calculating vulnerability scores.

CVSS — Common Vulnerability Scoring System
Attempts to give you numbers so you can say, hopefully with some quantitative or at least meaningful support, "This thing is more secure than that thing." The CVSS refers to many of the below enumeration projects: CWE, CVE, and so on.

CWE — Common Weakness Enumeration
Dictionary of software weakness types — crucial for understanding all the other lists! For example:
Absolute Path Traversal
Description The software can construct a path that contains absolute path sequences such as "/path/here."
Applicable Platforms: C C++ Java .NET


CVE — Common Vulnerabilities and Exposures
Dictionary of publicly known information security vulnerabilities and exposures. What is the possible problem — what is the real threat, what are various researchers and companies calling it, and where can you learn more? For example:
Name: CVE-2004-0356
Description: Stack-based buffer overflow in Supervisor Report Center in SL Mail Pro 2.0.9 and earlier allows remote attackers to execute arbitrary code via an HTTP request with a long HTTP sub-version. Status: Entry
Reference: BUGTRAQ:20040305 SLMail Pro Supervisor Report Center Buffer Overflow (#NISR05022004a)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=107850488326232&w=2
Reference: CONFIRM:
Reference: MISC:http://www.nextgenss.com/advisories/slmailsrc.txt
Reference: XF:slmail-src-stack-bo(15398)
Reference: URL:http://xforce.iss.net/xforce/xfdb/15398
Reference: BID:9809
Reference: URL:http://www.securityfocus.com/bid/9809


CPE — Common Platform Enumeration
Standard identifiers and dictionary for platform and product naming, all in XML like many of the Mitre data sets. For example:
<cpe-item name="cpe:/o:redhat:enterprise_linux:5::server">
    <title xml:lang="en-us">Red Hat Enterprise Linux (v.5 server)</title>


CCE — Common Configuration Enumeration
Now that you know which OS you're dealing with (according to CPE), what are the specific configuration details that you will be told to adjust? Unique identifiers for common system configuration issues, and suggested configuration guidelines.

CME — Common Malware Enumeration
A single consistent label for use in security advisories and discusstion of attack software. For example:

Description: CME-416 is a multi-component mass-mailing worm that downloads and executes files from the Internet.
Aliases applied by anti-virus industry:
Authentium: W32/Warezov.GC
AVIRA: TR/Dldr.Stration.C
CA: Win32/Stration.Variant!Worm
ClamAV: Worm.Stration.LY
ESET: Win32/Stration.NO
Fortinet: W32/Stration.DS@mm
Grisoft: I-Worm/Stration
Kaspersky: Email-Worm.W32.Warezov.ez
McAfee: W32/Stration@MM
Microsoft: Win32/Stration.DH@mm!CME-416
Norman: W32/Stration.ATT
Panda: W32/Spamta.KG.worm
Sophos: W32/Strati-Gen
Symantec: W32.Stration.DL@mm
Trend Micro: WORM_STRAT.DR


CAPEC — Common Attack Pattern Enumeration and Classification
Community-developed dictionary of attack methodologies. Useful for software development, and possibly for configuration design. Also useful for really understanding terminology.

OVAL — Open Vulnerability and Assessment Language
XML schema for representing system information, system configuration, and reporting the result of testing for known vulnerabilities based on software version and configuration.