logo

  •   Submit to to del.icio.us   Submit to to digg   submit to to reddit   submit to to StumbleUpon   submit to to Google   Submit to to Yahoo!

Category: news | Posted by Avatar Staff 107 days ago
Via: http://lists.jammed.com | Tags: isn national vulnerability database updated upgraded comments Discuss  






From: InfoSec News <alerts_at_private>




Date: Mon, 22 Sep 2008 01:04:44 -0500 (CDT)






http://www.gcn.com/online/vol1_no1/47170-1.html



By William Jackson

GCN.com

09/17/08



What’s in a name? Quite a lot, actually. A wealth of information is 

available on information technology threats and vulnerabilities and the 

best practices for countering them, but matching that information to 

your needs can be difficult.



According to a paper Mitre Corp. published in 2007, “Descriptions of 

vulnerabilities and configuration best practices have greater utility 

when all participants share common names for the entities described.” 

The not-for-profit organization develops and maintains a number of 

standardized IT naming conventions.



The National Institute of Standards and Technology has incorporated 

Mitre’s Common Platform Enumeration in the latest version of the 

National Vulnerability Database, a comprehensive repository of 

information on potential vulnerabilities in computer systems. NIST is 

applying the CPE product-naming scheme in the NVD dictionary that 

identifies names of products such as operating systems and applications.



Experienced systems administrators and security analysts can get by with 

informal naming systems for platforms and products when they are dealing 

with vulnerabilities and configuration issues. But automated security 

practices require a more consistent and structured naming scheme that 

allows tools and people to identify the IT platforms to which a 

vulnerability or security guidance applies. With a clear naming scheme, 

administrators can generate IT platform names consistently and 

predictably.



NIST made more than 80,000 updates to NVD in preparation for the latest 

upgrade, which enables greater automation of security processes. Data in 

the earlier NVD product dictionary was suitable only for human use 

because its structure was loosely defined. However, the new dictionary 

enables the data to be used in machine-to-machine communications. For 

example, a database of network assets listing hardware, software, 

patches and service packs can be correlated with a database of security 

vulnerabilities, thereby identifying vulnerabilities that might be 

present on instances of software. That is made possible by linking NVD’s 

large repository of vulnerability information to standard product names.



[...]





__________________________________________________      

Register now for HITBSecConf2008 - Malaysia! With 

a new triple-track conference featuring 4 keynote 

speakers and over 35 international experts, this 

is the largest network security event in Asia and 

the Middle East! 

http://conference.hackinthebox.org/hitbsecconf2008kl/



Received on Sun Sep 21 2008 - 23:04:44 PDT
addto Add this link to... report Bury 


Comments Who Voted Related Links
Copyright 2005-2008 Best of Security