|
|
|
Tips and tricks: Worming it out
Computer security in the networked world is an issue which is at the forefront of enterprise-wide infrastructure implementation. Terms like spyware, malware, virus and worms have not only become common but with time, their significance has increased exponentially.
You might have noticed that one worm in your system is named differently by different professionals. This happens because there is no global standard of naming threats faced by the online communities. Things get complex as terms like worm and Trojan, threat and outbreak sometimes overlap or are used interchangeably by different vendors and news services. This has often resulted in confusion when there is a need to cross-reference vulnerabilities posted by several popular vulnerability-watch services.
Cases of worm variants complicate matters vis-a-vis standardization of threats identification and reporting. This is where Common Malware Enumeration (CME) comes to the rescue. Launched publicly in the first week of October 2005, CME was also presented at Virus Bulletin Conference in Dublin, Ireland, in the same month.
Here’s how CME works: First it defines its own scope and meanings of all the terms used in its process. The purpose of CME is to assign a common identifier of the form ‘CME-N’ to a ‘malware threat’ where N is a number between 1 and 999 (expandable when the list exhausts). For instance, CME-123.
Malware threat is defined as “anything that has the potential to damage a computer system or network.” It has also been stated that identifier will be assigned to those malware threats which are significant “from the perspective of anti-virus vendors, IT security managers, and the general public.”
Information on each identifier is supplemented by its description (for example, other names and comments) and date/time of assignment. One of the key features of CME identifiers is that, it doesn’t uniquely identify threat components, which means that if there are a number of files/elements present in a threat, all will be marked with same identifier. For instance, if a buffer-overflow exploit results by downloading a file through email; then overflow signature, exploit file and email are assigned under same identifier.
This results in better coordination, prompt incident identification in cases where there is confusion if a particular risk is a single outbreak, multiple outbreaks, or a new outbreak altogether. Apart from standardizing the process of coordination, submission and assignment of identification, CME also formally defines previously vague terms like malware, virus, worm, Trojan, outbreak and threat. It is also important to note that CME is supported by a team of highly talented professional analysts working 24x7 on a process called ‘deconfliction’ whereby it is ascertained that no two threats are mistakenly assigned same identifier.
The process is termed one of the most important in the overall CME process. Final deconfliction decisions are taken by a Sample Redistribution Group.
Why CME has become so popular within a couple of weeks of its launch has much to do with its backers — US-CERT (Computer Emergency Readiness Team), and US Department of Homeland Security. MITRE Corporation manages CME under funding from US-CERT and DHS which also fund two similar projects, CVE (Common Vulnerabilities and Exposures), and OVAL)Open Vulnerability and Assessment Language).
It is highly likely that members of the information security community will gradually adopt CME initiative to streamline the communication among themselves, the media and the public. As support with open source community catching up, CME has got strong academic uses as well. With Pakistan joining the net bandwagon, there’s much emphasis on providing secure communication channels and use of CME will surely help professionals particularly those involved in vulnerability analysis.
Although a few years ago there was not much stress on network security except by and large for ISPs, what we see now is companies specializing in providing security solutions and new careers in encryption, PKIs are hot these days. Remaining up-to-date with new developments in this dog-eat-dog game of security is certainly inevitable.
Writer’s e-mail: nizar.ali@gmail.com
|
|
|
|
