- NVD is the U.S. government repository of standards based vulnerability
management data. This data enables automation of vulnerability management,
security measurement, and compliance.
Description
The NVD represents a collection of Common Weakness
Enumeration Specification (CWE) entries that provide a common language for
discussing, finding and dealing with the causes of software security
vulnerabilities. Each individual CWE entry represents a single vulnerability
type. CWE is currently maintained by the MITRE Corporation, with support from
the National Cyber Security Division (DHS). This list provides a detailed definition
for each individual CWE.[1]
All individual CWEs are held within a hierarchical structure
that allows for multiple levels of abstraction. CWEs located at higher levels
of the structure (i.e. Configuration) provide a broad overview of a
vulnerability type and can have many children CWEs associated with them. CWEs
at deeper levels in the structure (i.e. Cross Site Scripting) provide a finer
granularity and usually have fewer or no children CWEs.
NVD integrates CWE into the scoring of CVE vulnerabilities
by providing a cross section of the overall CWE structure. NVD analysts score
CVEs using CWEs from different levels of the hierarchical structure. This cross
section of CWEs allows analysts to score CVEs at both a fine and coarse
granularity, which is necessary due to the varying levels of specificity
possessed by different CVEs. As of 9/2014 the NVD contained a list of 64,098
vulnerabilities.
Executive Guidance
The first step in preparing for the acquisition of
additional security expertise from manufacturers, vendors, security services
providers and consultants calls for the identification of information assets
that are vulnerable to cyber attacks. This should be based on public
intelligence about the characteristics of already known breaches in information
security. Public knowledge about cyber attacks should be then supplemented with
an examination of data from the National Vulnerability Database (NVD).
Concentrated attention should be given to an understanding of information
obtained from the security flaws listed in the Common Vulnerabilities and
Exposures (CVE) database.
Short-term actions should then proceed with an examination
of the immediate threats confronted to networks in place, as notified from the
Computer Emergency Response Team (CERT) advisories. Communications with CERT
cannot be interrupted (24/7) in order to capture information about any “zero
day” security exploits that need immediate corrective action.
Intermediate-term actions will call for the evaluation and
validation of offerings from the existing vendors and suppliers to find what
can be accomplished with the installation of more robust cyber flaw
countermeasures. Such actions may require enhancement of existing security
methods or a complete replacement of security methods that are already in
place.
Long-term actions can for a complete reappraisal of the risk
environment for an enterprise. This should deal with a 3-5 year projection of
what are new vulnerabilities as the attacker technologies are improved and the
digital presence of employees, contractors and suppliers starts offering a much
larger risk surface must be defended.
No comments:
Post a Comment
For comments please e-mail paul@strassmann.com