Security-Related RFCs and Mitre Nomenclature Projects
For a current index of all RFCs, see this page: http://www.rfc-editor.org/
"RFC" = "Request For Comment". These documents define networking protocols and frequently discuss security issues.
|Learn the language:|
|RFC 1208||A Glossary of Networking Terms|
|RFC 1983||Internet Users' Glossary|
|RFC 2828||Internet Security Glossary|
|Understand and carry out "best practice":|
|RFC 2196||Site Security Handbook|
|RFC 2350||Expectations for Computer Security Incident Response|
|RFC 2504||Users' Security Handbook|
|RFC 3631||Security Mechanisms for the Internet|
|RFC 4301||Security Architecture for the Internet Protocol|
|RFC 4778||Current Operational Security Practices in Internet Service Provider Environments|
The U.S. government has contracted Mitre to define information nomenclature. Researchers, the IT industry, the anti-virus industry, and more need to have a common language to describe threats, defenses, and more. I was teaching a UNIX security course in the Washington DC area when these nomenclature projects came up. A student who worked for a U.S. Government agency said, "Oh, that sounds like such a Mitre project!", meaning that it was complicated, performed for the U.S. Government in return for vast sums of money, and was just the organization of actual work done by others. But these projects are useful to give the information security community a more useful common language.
National Vulnerability Database
Ties together many of these nomenclature projects, plus attempts to automate (or at least standardize) systems for calculating vulnerability scores.
Common Vulnerability Scoring System
Attempts to give you numbers so you can say, hopefully with some quantitative or at least meaningful support, "This thing is more secure than that thing." The CVSS refers to many of the below enumeration projects: CWE, CVE, and so on.
Common Weakness Enumeration
Dictionary of software weakness types — crucial for understanding all the other lists! For example:
Absolute Path Traversal
CWE ID 36
Description The software can construct a path that contains absolute path sequences such as "/path/here."
Applicable Platforms: C C++ Java .NET
Common Vulnerabilities and Exposures
Dictionary of publicly known information security vulnerabilities and exposures. What is the possible problem — what is the real threat, what are various researchers and companies calling it, and where can you learn more? For example:
Description: Stack-based buffer overflow in Supervisor Report Center in SL Mail Pro 2.0.9 and earlier allows remote attackers to execute arbitrary code via an HTTP request with a long HTTP sub-version. Status: Entry
Reference: BUGTRAQ:20040305 SLMail Pro Supervisor Report Center Buffer Overflow (#NISR05022004a)
Common Platform Enumeration
Standard identifiers and dictionary for platform and product naming, all in XML like many of the Mitre data sets. For example:
<title xml:lang="en-us">Red Hat Enterprise Linux (v.5 server)</title>
Common Configuration Enumeration
Now that you know which OS you're dealing with (according to CPE), what are the specific configuration details that you will be told to adjust? Unique identifiers for common system configuration issues, and suggested configuration guidelines.
Common Malware Enumeration
A single consistent label for use in security advisories and discusstion of attack software. For example:
CME ID: CME-416
Description: CME-416 is a multi-component mass-mailing worm that downloads and executes files from the Internet.
Aliases applied by anti-virus industry:
Trend Micro: WORM_STRAT.DR
Common Attack Pattern Enumeration and Classification
Community-developed dictionary of attack methodologies. Useful for software development, and possibly for configuration design. Also useful for really understanding terminology.
Open Vulnerability and Assessment Language
XML schema for representing system information, system configuration, and reporting the result of testing for known vulnerabilities based on software version and configuration.