Donston:
With me now is Steven Christey, senior software analyst at
MITRE. Steve, you've mentioned several times during the summit that
you think education is lacking. How is it lacking and how do you
think it can be improved?
Christey:
Education is a pretty big challenge because there are a lot
of different types of organizations, and individuals within those
organizations, that need to be educated. The problem stems from
programmers who don't know all of the different bugs that they can
introduce into their code that can allow hackers to exploit that code
to break into systems. There are CIO's who do not necessarily
understand the impact that these very low-level bugs can have on the
security of their entire enterprise. There is education of system
administrators who are often overworked and are given security as just
one of many different responsibilities, and they don't necessarily
have the support of management above them. System administration in
some cases is sort of an afterthought with respect to the job that the
person really needs to do. Maybe they're doing certain project work,
or they're working on developing a new system or something like that,
and system administration is just one of the tasks that they need to
perform. So you have a lot of these different stakeholders in terms
of education, each of whom needs a different type of education with
respect to computer security.
Donston:
Where should that education come from?
Christey:
The education should come from a lot of different sources,
one of them being the university system itself. Programmers, when
they're learning how to program, should be taught secure methods for
programming. With respect to the senior management in terms of
enterprises, I think that's a good question. We've heard in today's
discussion a lot that there is often a "prove it to me" sort of
attitude that is taken by CIO's and by system administrators as well,
in terms of really understanding that "OK, this is a problem, but it
doesn't apply to me." If their system is proven to be vulnerable and
they are shown concretely what that problem is, then they can better
understand the true extent of the impact it has on security. However,
who does that education is another question. There are services out
there - security services - that will help to do that education.
There are organizations that are starting to come out with educational
programs, certification kinds of programs, although in most cases
they're still fairly new. So, those are some of the different sources
where the education can come from. Then there's also self-education,
in terms of system administrators or programmers educating themselves.
However, there's such a wealth of information out there, and it's not
all in one easy-to-access location that even if someone is interested
in learning more about security, it can be hard for them to select
from all of the different options that are available to them.
Donston:
There's a lot of information out there, and the information
comes with different terminology. Sometimes the same thing is called
two different terms. MITRE is working on a project to come up with a
common naming system. Can you tell us about that?
Christey:
Yeah. It's called Common Vulnerabilities and Exposures.
Basically, what we're doing is, we are creating a list of all of the
known vulnerabilities that are out there, and working with other
people in the community to agree to a single name to use for each
individual vulnerability. One of the problems that's out there is,
because there's such a high volume of information and there are a lot
of different security products and databases that are dealing with
vulnerability information, everyone uses a different name to describe
that particular vulnerability. So it makes it very difficult to
integrate information from all of these different sources.
Donston:
And more difficult to educate people about the problems.
Christey:
It can also become more difficult to educate people about
the problems as well because security vulnerabilities - sometimes
there can be so many of them in the same system that you aren't
necessarily sure which one you're even really talking about. So, the
approach that we've taken is to come up with a common name for each
vulnerability, and we've built up an editorial board, which consists
of approximately 30 different organizations from government, academia,
from the commercial world - both in terms of vendors of security
products and vendors of software products - and other kinds of
security experts, all of whom consult with us at MITRE to populate the
list, to agree on the names, and then to distribute that list to the
public.
Donston:
Where can people find information on the CVE?
Christey:
The CVE list and supporting information can be found at the
URL: cve.mitre.org.
Donston:
OK, thanks so much, Steve.
Christey:
Thank you.
