Why you really, really need a firewall--or two. CNET Security Watch


	*My new* plan for plugging software security holes** In the past two weeks, Robert Vamosi has rethought his proposal for improving software security. Instead of creating a third party to help out software makers, he says, these companies should support an existing organization: CERT.

By Robert Vamosi
Senior associate editor, CNET Reviews
(10/18/02)

A recent column in which I called for a third-party organization to investigate software security vulnerabilities generated a fair amount of reader e-mail. Most of you agreed that the Organization for Internet Safety (OIS), a group of security and software vendors that work together to fix flaws in their own products, would do little to improve the disclosure of software holes for the whole industry.

A few readers also thought I was too critical of Carnegie Mellon's CERT Coordination Center (CERT/CC). I said that CERT/CC was too slow to respond to vulnerabilities because of inadequate staffing. But it turns out that is not quite correct. Rather, CERT/CC could benefit from greater financial independence from the U.S. government. Now, I believe that security companies and software vendors should support the work done by CERT/CC, rather than create a new organization.

CERT's origin
From its inception, CERT was designed to handle Internet emergencies. It was created shortly after Robert Morris, Jr. launched the first worm attack on the Internet in November 1988. The Morris worm brought together members of the government and academia (then the primary users of the Internet) for containment strategy sessions. Afterward, these individuals decided to form a lasting coordination center to handle future Internet security events. The Defense Advanced Research Projects Agency (DARPA) chose Carnegie Mellon's Software Engineering Institute (SEI) as the home base.

Funded primarily by the Department of Defense, the General Services Administration, and other government agencies, CERT/CC raises additional support through collaborative research projects with private-sector companies. It has also received some funds from the Internet Security Alliance, a public and private partnership for Internet security.

CERT/CC's mission, according to Shawn Hernan, a senior member of the technical staff there, is to provide "a clearinghouse for communicating information about vulnerabilities."

CERT/CC's mission, according to Shawn Hernan, a senior member of the technical staff there, is to provide "a clearinghouse for communicating information about vulnerabilities." Hernan manages a team of seven security researchers who maintain secure communications channels with more than 400 software and hardware vendors, including the government and some private organizations. CERT/CC also maintains a vulnerability catalog, available only to the government and Internet Security Alliance members, and an in-house database of all reported vulnerabilities. In addition, CERT/CC communicates with the general public by issuing advisories for the more serious vulnerabilities and by publishing vulnerability notes for less serious software flaws.

Threat matrix
To prioritize vulnerabilities, CERT/CC uses its own internal threat matrix, in which each vulnerability submitted is assigned a number between 0 and 180. You can view an example here. The number takes into account how much information is available about a vulnerability, whether it has been exploited, whether it threatens the Internet's infrastructure, how many systems are vulnerable, what damage it might cause, and how easy it is to fix and to exploit. The results are not linear; for example, a vulnerability of 60 is not twice as severe as one of 30. The threat matrix is useful for identifying more critical vulnerabilities; they're the ones with the higher numbers.

CERT will now disclose all vulnerabilities to the public 45 days after the initial report, regardless of whether a patch or a workaround exists from a given vendor.

Two years ago, CERT/CC adopted its current vulnerability disclosure policy. CERT will now disclose all vulnerabilities to the public 45 days after the initial report, regardless of whether a patch or a workaround exists from a given vendor. Prior to this policy, there was no set timetable when information would be made public.

However, despite these parameters, CERT/CC has accommodated outside interests and made exceptions as recently as last February. That's when the SNMPv1 vulnerability was announced publicly. This flaw allowed malicious users to take control of a remote computer by using GetRequest, GetNextRequest, and SetRequest messages. Even though security researchers knew about this vulnerability for several months, CERT/CC delayed its announcement to the public. Hernan said, "We chose our initial release date, February 12, after extensive negotiation with the [software vendors and other interested parties]. Many wanted an earlier release, and many wanted a later release. Some wanted no release of the information."

Government influence
To better understand CERT/CC's delay in announcing the SNMP vulnerability, remember that it affected a long list of vendors. "The SNMP problem was pervasive, and finding, fixing, and addressing all the flaws takes considerable time and energy," said Hernan. However, some researchers have speculated that the U.S. government, not individual vendors, convinced CERT/CC to delay its SNMP announcement last February because the government feared that malicious users may have used the vulnerability to disrupt the 2002 Winter Olympics in Salt Lake City.

Instead of creating an entirely new organization to police the disclosure of software vulnerabilities, as I proposed a few weeks ago, let's free CERT/CC from the influence of the U.S. government. If security and software vendors financially support CERT/CC, this would allow the organization to become a more impartial clearinghouse of data on software vulnerabilities. And this, perhaps, would make software more secure--a benefit to all of us.

Do you think CERT/CC is the best organization to oversee the disclosure of software vulnerabilities? If not, how should we resolve this issue? TalkBack to me!

Security Watch archive

Read CNET product reviews

Senior Associate Editor Robert Vamosi covers hoaxes, viruses, and security threats for CNET Reviews. Have a question for him? Let him know!

	Next steps

• Find DSL in your own area |
• Download security and encryption apps |
• Protect yourself with a firewall or an Internet security suite |
• Shopper.com's most popular security and encryption apps

Security bonanza: McAfee lineup
From CNET Reviews

CNET Security Center
From CNET Reviews

CNET Virus Center
From CNET Reviews

Top security apps
From CNET Reviews

4 firewalls compared
From CNET Reviews

How to protect your PC from viruses
From CNET Reviews

Homeland security on your PC
From CNET Reviews

Virus & security alert forums
From CNET Message Boards


			Firewalls
			Antivirus software


		Home & Entertainment Weekly
		Photo & Video Weekly
		Shopper: Desktops & Notebooks
		CNET TechSpecials




		Surveys
		IT Professionals
		IT Management
		Small Business Owners


.manage.periph">Manage My Newsletters

Check out what's new
Introducing the all-new CNET!
Send feedback

- home
- reviews
- news
- downloads
- cnet tv
On the Insider: McCain compares Obama to Britney
- log in
- join CNET
- welcome,
- my profile
- log out

Dell 15" Laptop Deals

Reviews & advice: All product reviews; Editorial policies; Meet the editors; How we test; Tips & tricks

Popular topics: Apple iPhone; Apple iPod; Dell; PlayStation 3; Wii; Windows Vista

CNET sites: CNET TV; Downloads; Forums; News; Reviews; Site map

More information: Newsletters; Corrections; Customer Help Center; RSS; What's new; About CNET

Privacy policy
Terms of use
Visit other CBS Interactive sites:

#networkSites {display:none;}BNET | CHOW | CNET.com | CNET Channel | GameSpot | International Media | mySimon | Search.com | TechRepublic | TV.com | ZDNet