Computerworld
Quick Menu
Search



Ads by TechWords

See your link here


Subscribe to our e-mail newsletters
For more info on a specific newsletter, click the title. Details will be displayed in a new window.
Finance
Security
Computerworld Daily News (First Look and Wrap-Up)
Computerworld Blogs Newsletter
The Weekly Top 10
More E-Mail Newsletters 
Computerworld 2007Subscribe to Computerworld
40 years of the most authoritative source of news and information for IT leaders.

RSA: Major companies tout new vulnerability rating system

The Common Vulnerability Scoring System was unveiled yesterday
 

Sign up to receive Security Resource Alerts

February 18, 2005 (IDG News Service) -- Leading IT companies including Cisco Systems Inc., Microsoft Corp. and Symantec Corp. are promoting a rating system that will standardize severity ratings of software vulnerabilities.
A plan for the new system, called the Common Vulnerability Scoring System (CVSS), was unveiled at the RSA Conference in San Francisco yesterday. If widely adopted, it would provide a common language for describing the seriousness of computer security vulnerabilities and replace vendor-specific rating systems, according to Mike Schiffman, a researcher at Cisco.
Schiffman offered a presentation on the system at RSA.
The new scoring system is part of a project by the National Infrastructure Advisory Council to create a global framework for disclosing information about security vulnerabilities. Representatives from government and the IT industry contributed to the CVSS proposal, including eBay Inc., Qualys Inc., Internet Security Systems Inc. and Mitre Corp.
NIAC, part of the U.S. Department of Homeland Security, is concerned with the security of information systems that support critical infrastructure in areas such as banking, finance, transportation, energy and manufacturing.
CVSS will use standard mathematical equations to calculate the severity of new vulnerabilities based on basic information such as whether a vulnerability can be remotely exploited or whether an attacker must log into a vulnerable system before being able to exploit a security hole, said Gerhard Eschelbeck of Qualys.
CVSS ratings will also consider timing issues, such as whether an exploit or a software patch for a specific vulnerability is available, and how long it has been available, he said.
The new rating system will be akin to the Common Vulnerabilities and Exposures (CVE) database maintained by Mitre, which provides standard identifiers and information about software holes. As with CVE, vendors will most likely use CVSS ratings as a common base of reference but continue to offer their own analysis or threat assessments, Eschelbeck said.
IT security vendors will use the CVSS in their products to evaluate and prioritize software vulnerabilities. Vendors will also be asked to provide ways for customers to enter information about their IT environment, such as the number and type of systems affected, before calculating a final CVSS rating, he said.
For example, a remotely exploitable vulnerability that affects a worker's desktop system might have a different CVSS rating than one that affects a critical payroll or human resources server, Eschelbeck said.
The system will be different from rating systems such as Symantec's ARIS attack scoring system because it will not be used as a warning system for malicious-code outbreaks, according to Schiffman's presentation.
CVSS has backing from major IT players and a detailed plan for implementation. However, the system doesn't yet have a home. Organizers are looking

Continued...
1 | 2 | NEXT  

Reprinted with permission from

IDG.net
Story copyright 2008 International Data Group. All rights reserved.


Print this Story Send Us Feedback E-mail this Story Digg! Digg this Story Slashdot this Story
Mozilla updates Firefox 3.1 with Alpha 2 build
Microsoft explains Seinfeld-Windows TV ad: just a 'teaser'
Mozilla: Firefox is faster than Chrome
More top stories...
iPhone 3G owner sues Apple, AT&T over dropped calls, app crashes
At 10, Google reiterates commitment to CIOs
Analysts: Google spreading itself too thin
Users of Windows XP SP3 who try out IE8 Beta 2 won't be able to uninstall either one under certain circumstances.
Google has gone from innovative upstart to fat-and-happy industry leader in what seems like record time. Preston Gralla explains.
Microsoft's latest beta of IE8 includes better tab management, new services such as Web Slices and Accelerators, and the new 'porn mode.'
These leading-edge graduate schools are moving at the pace of the IT workplace, delivering coursework that's relevant to today's IT professionals.
Reviews, analyses, how-tos, visual tours, hot issues and predictions about Microsoft's new OS.
Four years from now, the IT field will be a vastly different place. Will you be ready?
All Zones
Application Performance Zone
Business Continuity Zone
The File Data Management Zone
Security Management Zone
ITIL Best Practices Zone
The SAS Zone
Business Intelligence and Analytics Zone
Windows Protection Zone
Identity & Security Management Zone

Ads by TechWords

See your link here
From Laggard to Leader: Transforming the Data Center
From Laggard to Leader: Transforming the Data Center
Register for this complimentary live webcast today!
Go to the webcast 
Computerworld Executive Bulletin: Building a Robust Antivirus Defense
Download this Executive Bulletin (a $49.95 value) for free, compliments of MessageLabs.
(Source: MessageLabs) Antivirus software alone isn't enough to prevent today's speedy, sophisticated virus attacks. Security managers should consider multitiered approaches that include behavior scanning, appliances that check e-mail for worms, and restricting user access to dangerous Web sites. Download this Executive Bulletin (a $49.95 value) for free, compliments of MessageLabs, to learn more.
Download this executive briefing download
Online Security Issues in Regulated Industries
Download this research paper, free for a limited time, compliments of Webroot!
(Source: Webroot Software) In June 2008, Computerworld invited IT and business leaders to participate in a survey on online security initiatives at their organizations. The goal of the survey was to better understand Web and e-mail security issues faced today within the regulated education, financial services, government and health care industries. The following report represents top-line results of that survey.
Download this white paper go
White Papers
Read up on the latest ideas and technologies from companies that sell hardware, software and services.
Death to PST: Hidden Cost of Email Mismanagement
Extend, Replace, or Convert; which is the best way forward for COBOL Applications?
The Trend from Unix to Linux in SAP Data Centers
View more whitepapers