|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Universal vs. Environmental Policy, and the "vulnerability" term
- To: cve-editorial-board-list@lists.mitre.org
- Subject: Re: Universal vs. Environmental Policy, and the "vulnerability" term
- From: Pascal Meunier <pmeunier@purdue.edu>
- Date: Thu, 5 Aug 1999 12:48:50 -0500
- In-Reply-To: <199908042248.SAA16296@basie.mitre.org>
- Sender: owner-cve-editorial-board-list@lists.mitre.org
>If we can agree that it makes sense to distinguish between Universal >Policy Violations (UPV) and Environmental Policy Violations (EPV), >then is an EPV a "vulnerability"? No, but see below. A policy violation may result from misplaced trust (sabotage, incompetence, negligence, etc...) as well as an attack on a vulnerability. Therefore EPVs are a superset of what can be done with vulnerabilities, and other things too. To be a vulnerability, a fault must be exploitable to result in a policy violation, but a policy violation does not necessarily map back to a single specific low-level vulnerability. There is some confusion in this debate between detecting policy violations (e.g., service x is running), suggesting low-level policies (e.g., service x should not be running because its design is unsecure), low-level vulnerabilities, and macro-system-level vulnerabilities -- let's call those "macrovulnerabilities". Let me define macrovulnerabilities as vulnerabilities that arise from the assembly of services, hardware and software in a specific environment, while each of those individually does what it is supposed to do and nothing else. Let me go back to the fundamental rule of security: security through obscurity is not security. Therefore, services that enable the gathering of information are not real vulnerabilities or macrovulnerabilities. If having them running makes such a difference to your perceived security, then maybe your systems are not secure. I am against including those in the CVE. If we make the CVE a list of Bad Ideas, it will grow to infinity. Are services unsecure because they contain vulnerabilities, or because they are ill-designed services for which no implementation can ever be secure? In the first case, there should be a CVE entry for those vulnerabilities but not the service. If having the latter kind running allows someone to circumvent other common policies, then the service is a macrovulnerability. I think that services falling in this category deserve a CVE entry. In such a case I believe that there can be a one-to-one mapping between a macrovulnerability and low-level policy. Does this make sense? Pascal Microsoft Windows is also a way of thinking - or not thinking, to be more exact. -- RA Downes Radsoft Laboratories
- Follow-Ups:
- Re: Universal vs. Environmental Policy, and the "vulnerability" term
- From: Dave Mann <damann@mitre.org>
- Re: Universal vs. Environmental Policy, and the "vulnerability" term
- References:
- Universal vs. Environmental Policy, and the "vulnerability" term
- From: "Steven M. Christey" <coley@linus.mitre.org>
- Universal vs. Environmental Policy, and the "vulnerability" term
- Prev by Date: Review of vendor mappings at next week's CVE Review Meeting
- Next by Date: RE: CONTENT DECISION: Presence of Services or Applications (SA)
- Prev by thread: Universal vs. Environmental Policy, and the "vulnerability" term
- Next by thread: Re: Universal vs. Environmental Policy, and the "vulnerability" term
- Index(es):