8.2 National vulnerability assessments

The national effort to identify vulnerabilities is moving ahead at a frantic pace. For this effort to be successful, organizations need to be forthwith in providing information that will contribute to national vulnerability assessments. It is also important that all organizations better understand the potential consequences of threats and vulnerabilities.

To address technology vulnerabilities the Computer Security Division at the NIST has established a computer security resources center (csrc.nist.gov) and a venerability and threat portal (icat.nist.gov/vt_portal.cfm).

The threat portal provides access to the ICAT Metabase. The ICAT Metabase is a searchable index of computer vulnerabilities that links users into a variety of publicly available vulnerability databases and patch sites, enabling them to find and fix the vulnerabilities existing on their systems.

ICAT allows searches at a fine granularity, a feature unavailable with most vulnerability databases, by characterizing each vulnerability according to over 40 attributes (including software name and version number). ICAT does not compete with publicly available vulnerability databases, but instead is a search engine that drives traffic to them. The ICAT developers were supported by numerous agencies and organizations, including the following:

• The Center for Education and Research in Information Assurance and Security (CERIAS) at Purdue University

• FedCIRC

• Internet Security Systems X-Force

• National Information Assurance Partnership (NIAP)

• SysAdmin, Audit, Network, Security (SANS) Institute

• Security Focus

Among the 40 pieces of data and information that ICAT provides on over 5,000 vulnerabilities is a classification of a severity. Vulnerabilities can have one of three severity levels: high, medium, or low.

• A vulnerability is high severity if it:

• Allows a remote attacker to violate the security protection of a system (i.e., to gain some sort of user or root account)

• Allows a local attack that gains complete control of a system

• Is important enough to have an associated CERT/CC advisory

• A vulnerability is medium severity if it:

• Does not meet the definition of either high or low severity

A vulnerability is low severity if it:

• Does not typically yield valuable information or control over a system, but instead gives the attacker knowledge that may help the attacker find and exploit other vulnerabilities

• Believed by the NIST staff to be inconsequential for most organizations

It is important to note that so far much of the effort to assess vulnerabilities has focused on technology. The ultimate goal of the National Strategy to Secure Cyberspace is to go beyond technology and to view vulnerabilities in a more holistic manner. This includes examining how organizations are interconnected and how disruptions or attacks can be prevented or contained. This is discussed in more detail in the following sections.