FIRST Urges Wide-Scale Adoption of New Common Vulnerability Scoring System (CVSS); Cisco, eBay, Internet Security Systems, Qualys and Others Design Vendor-Agnostic Language for Measuring and Addressing Network Vulnerabilities.RESEARCH TRIANGLE PARK Research Triangle Park, research, business, medical, and educational complex situated in central North Carolina. It has an area of 6,900 acres (2,795 hectares) and is 8 × 2 mi (13 × 3 km) in size. Named for the triangle formed by Duke Univ. , N.C. -- The Forum of Incident Response and Security Teams See FIRST. (FIRST) -- a not-for-profit network of computer security incident response teams representing government, law enforcement, commercial, education and other organizations worldwide -- has joined industry leaders in urging organizations throughout the global Information Technology (IT) community to test the first Common Vulnerability Scoring System Noun 1. scoring system - a system of classifying according to quality or merit or amount rating system classification system - a system for classifying things (CVSS CVSS Common Vulnerability Scoring System CVSS Currumbin Valley State School (Gold Coast, Australia) ). FIRST is hosting and serving as custodian for updates to the CVSS, designed to give security professionals, business executives and end users across industries a standard language for measuring vulnerabilities of networked information systems and prioritizing responses. CVSS was designed by a team of industry-leading companies, including Cisco Systems “Cisco” redirects here. For other uses, see Cisco (disambiguation). Cisco System,Inc. (NASDAQ: CSCO, HKSE: 4333 ) is an American multinational corporation with 54,000 employees and annual revenue of US $28.48 billion as of 2006. (R), Inc., eBay, Internet Security ''This article or section is being rewritten at Internet security is the process of protecting data and privacy of devices connected to internet from information robbery, hacking, malware infection and unwanted software. Systems and Qualys Inc. in support of the U.S. National Infrastructure Advisory Council (NIAC NIAC National Iranian American Council (Washington, DC) NIAC National Infrastructure Advisory Council NIAC NASA Institute for Advanced Concepts NIAC Nonprofits' Insurance Alliance of California NIAC National Internet Advisory Committee ). It is a simple, open, vendor-agnostic system that factors seven base metrics along with time- and environment-dependent metrics in assigning a composite score representing the overall risk presented by a vulnerability. "CVSS solves the problem of multiple, incompatible scoring systems and is usable and understandable by anyone," said Gavin Reid, FIRST's CVSS project manager and a member of Cisco's Computer Security Incident Response Team. "Because the framework is in its first-generation stage, there is a need for active participation and feedback within the global IT community. FIRST's goal is to increase the scoring system's usability and acceptance across industries." At the initial meeting of FIRST's CVSS Special Interest Group, early adopters of the system, including Assuria, CERT/CC (Computer Emergency Response Team/Coordination Center) Part of the Software Engineering Institute of Carnegie Mellon University, CERT/CC is a major reporting center for Internet security problems. , Cisco Systems, IBM (International Business Machines Corporation, Armonk, NY, www.ibm.com) The world's largest computer company. IBM's product lines include the S/390 mainframes (zSeries), AS/400 midrange business systems (iSeries), RS/6000 workstations and servers (pSeries), Intel-based servers (xSeries) , Internet Security Systems, JPCERT/CC, netForensics, Pentest Ltd., Qualys, Sintelli, Skybox sky·box n. An elevated, usually enclosed private compartment for viewing events at a sports stadium. Noun 1. skybox - an elevated box for viewing events at a sports stadium Security and Unisys, agreed to test the system and look into applicable usage within their companies. More than 30 governments and vendors were represented at the July meeting in Singapore. "Through CVSS, the security industry has made incredible progress in creating a common language for understanding vulnerabilities and threats," said Gerhard Eschelbeck, one of the designers of CVSS and chief technical officer of Qualys. "There are already a number of organizations who have committed to CVSS and begun implementation. With the resources and focus of the FIRST team, we'll be able to take this initiative to the next level of widespread adoption." IT specialists interested in finding out how they can participate in reviewing the CVSS framework and tools to facilitate end-user scoring can visit http://www.first.org/cvss. About CVSS CVSS, unveiled on the U.S. Department of Homeland's Security's web site on Feb. 23, 2005, grew out of NIAC efforts to promote a common understanding of network threats. In a report released in January 2004, the NIAC defined a vulnerability as "a set of conditions that may lead to an implicit or explicit failure of the confidentiality, integrity or availability of an information system." The report said that hardware or software design flaws, botched botch tr.v. botched, botch·ing, botch·es 1. To ruin through clumsiness. 2. To make or perform clumsily; bungle. 3. To repair or mend clumsily. n. 1. administrative processes, lack of information-security awareness and education and/or failure to adhere to current practices could cause vulnerabilities. The effects, reported the NIAC, could include: --one user's posing or being able to execute commands as another, --the ability to access data beyond specified permission levels, --abnormal denials of service, unauthorized destruction of data (either intentionally or inadvertently) and --exploitation of encryption weaknesses. Different systems for scoring vulnerabilities are in use today. Frequently "home-grown" (developed for specific organizations by their specific IT departments), these systems use different metrics, tend to be Internet-centric, fail to universally accommodate change and do not have provisions for operational environments of varying risk profiles. The CVSS development team sought to overcome these shortcomings A shortcoming is a character flaw. Shortcomings may also be:
NIAC is chartered to provide policy advice to the president of the United States The head of the Executive Branch, one of the three branches of the federal government. The U.S. Constitution sets relatively strict requirements about who may serve as president and for how long. . As it looked at the need for a global vulnerability-reporting framework, the NIAC recommended development of a common scoring system, which resulted in CVSS. Both the vulnerability disclosure framework and CVSS are suggested for global users. The NIAC published those reports as a public service, pulling out specific recommendations for the U.S. president. NIAC reports are available at http://www.dhs.gov/niac/. About FIRST FIRST believes that a global approach toward adoption of the new standard is the best strategy. FIRST is uniquely qualified through the international collaboration occurring within the organization on a regular basis to both promote the adoption of CVSS both inside and outside of its membership and to maintain the standard going forward. As part of its mission, FIRST encourages and promotes the development of quality security products, policies and services and computer security best practices. Related resources Read more about the CVSS Project at http://www.first.org/cvss & http://www.first.org/cvss/cvss-guide.html Read more about FIRST at http://www.first.org & http://www.first.org/about/ |
|
||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion