Security-Related RFCs and Mitre Nomenclature Projects
Security-Related RFCs
"RFC" = "Request For Comment". These documents define networking protocols and frequently discuss security issues. To access them, see the current complete list.
| Learn the language: | |
RFC 1208
|
A Glossary of Networking Terms |
RFC 1983
|
Internet Users' Glossary |
RFC 4949
|
Internet Security Glossary |
| Understand and carry out "best practice": | |
RFC 2196
|
Site Security Handbook |
RFC 2350
|
Expectations for Computer Security Incident Response |
RFC 2504
|
Users' Security Handbook |
RFC 3631
|
Security Mechanisms for the Internet |
RFC 6040
|
Security Architecture for the Internet Protocol |
RFC 4778
|
Current Operational Security Practices in Internet Service Provider Environments |
Mitre Nomenclature Projects
The U.S. government has contracted Mitre to define information nomenclature. Researchers, the IT industry, the anti-virus industry, and more need to have a common language to describe threats, defenses, and more. I was teaching a UNIX security course in the Washington DC area when these nomenclature projects came up. A student who worked for a U.S. Government agency said, "Oh, that sounds like such a Mitre project!", meaning that it was complicated, performed for the U.S. Government in return for vast sums of money, and was just the organization of actual work done by others. But these projects are useful to give the information security community a more useful common language.
NVD —
National Vulnerability Database
Ties together many of these nomenclature projects,
plus attempts to automate (or at least standardize)
systems for calculating vulnerability scores.
http://nvd.mitre.org/
CVSS —
Common Vulnerability Scoring System
Attempts to give you numbers so you can say,
hopefully with some quantitative or at least meaningful
support, "This thing is more secure than that thing."
The CVSS refers to many of the below enumeration projects:
CWE, CVE, and so on.
http://nvd.mitre.org/cvss.cfm
http://nvd.nist.gov/cvss.cfm
http://www.first.org/cvss/cvss-guide.html
CWE —
Common Weakness Enumeration
Dictionary of software weakness types — crucial for
understanding all the other lists!
For example:
Absolute Path Traversal
CWE ID 36
Description The software can construct a path that contains absolute path sequences such as "/path/here."
Applicable Platforms: C C++ Java .NET
http://cwe.mitre.org/
CVE —
Common Vulnerabilities and Exposures
Dictionary of publicly known information security
vulnerabilities and exposures.
What is the possible problem — what is the real
threat, what are various researchers and companies calling
it, and where can you learn more?
For example:
Name: CVE-2004-0356
Description: Stack-based buffer overflow in Supervisor Report Center in SL Mail Pro 2.0.9 and earlier allows remote attackers to execute arbitrary code via an HTTP request with a long HTTP sub-version. Status: Entry
Reference: BUGTRAQ:20040305 SLMail Pro Supervisor Report Center Buffer Overflow (#NISR05022004a)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=107850488326232&w=2
Reference: CONFIRM:http://216.26.170.92/Download/webfiles/Patches/SLMPPatch-2.0.14.pdf
Reference: MISC:http://www.nextgenss.com/advisories/slmailsrc.txt
Reference: XF:slmail-src-stack-bo(15398)
Reference: URL:http://xforce.iss.net/xforce/xfdb/15398
Reference: BID:9809
Reference: URL:http://www.securityfocus.com/bid/9809
http://cve.mitre.org/
CPE —
Common Platform Enumeration
Standard identifiers and dictionary for platform
and product naming, all in XML like many of the Mitre
data sets.
For example:
<cpe-item name="cpe:/o:redhat:enterprise_linux:5::server">
<title xml:lang="en-us">Red Hat Enterprise Linux (v.5 server)</title>
</cpe-item>
http://cpe.mitre.org/
CCE —
Common Configuration Enumeration
Now that you know which OS you're dealing with (according
to CPE), what are the specific configuration details
that you will be told to adjust?
Unique identifiers for common system configuration issues,
and suggested configuration guidelines.
http://cce.mitre.org/
CME —
Common Malware Enumeration
A single consistent label for use in security advisories
and discusstion of attack software.
For example:
CME ID: CME-416
Description: CME-416 is a multi-component mass-mailing worm that downloads and executes files from the Internet.
Aliases applied by anti-virus industry:
Authentium: W32/Warezov.GC
AVIRA: TR/Dldr.Stration.C
CA: Win32/Stration.Variant!Worm
ClamAV: Worm.Stration.LY
ESET: Win32/Stration.NO
Fortinet: W32/Stration.DS@mm
Grisoft: I-Worm/Stration
Kaspersky: Email-Worm.W32.Warezov.ez
McAfee: W32/Stration@MM
Microsoft: Win32/Stration.DH@mm!CME-416
Norman: W32/Stration.ATT
Panda: W32/Spamta.KG.worm
Sophos: W32/Strati-Gen
Symantec: W32.Stration.DL@mm
Trend Micro: WORM_STRAT.DR
http://cme.mitre.org/
CAPEC —
Common Attack Pattern Enumeration and Classification
Community-developed dictionary of attack methodologies.
Useful for software development, and possibly for
configuration design.
Also useful for really understanding terminology.
http://capec.mitre.org/
OVAL —
Open Vulnerability and Assessment Language
XML schema for representing system information, system
configuration, and reporting the result of testing for
known vulnerabilities based on software version
and configuration.
http://oval.mitre.org/