Larry Pesce, manager of information systems security for Care New England, Providence, R.I., cannot imagine doing his job without tools that support the industry-standard vulnerability dictionary known as CVE (Common Vulnerabilities and Exposures).
"Well, actually, I can, but I don't really want to," Pesce says.
Yet, despite its name, the CVE — developed and maintained by the federally funded MITRE Corp., Bedford, Mass. — is not commonly used as a reference by security administrators. In fact, although it has been in existence for seven years, it isn't even common knowledge. Gary Miliefsky, founder and chief technology officer of NetClarity, Bedford, Mass., says as recently as six months ago, not one of 30 healthcare information technology executives at a conference in which he spoke had even heard of CVEs.
Why this widespread ignorance of the resource continues is a bit of a mystery to vendors and the government computer scientists working on CVE and its related technologies. Security vendors have already manufactured more than 300 products and services that are certified CVE-compatible, meaning they all refer to the same CVE reference documentation, enabling different vendors' products to interoperate.
Before the CVE list was originated in 1999, vendors would often give the same vulnerability wildly divergent names in an attempt to differentiate themselves from their competitors. This resulted in a ball of confusion for security administrators who were charged with trying to ascertain exactly which vulnerabilities affected which ports and applications.
Cost-effectiveness research done by both end users and vendors has shown CVE-based technology is worth the money. And, despite slow progress in coordinating government efforts to enhance the usefulness of CVE and other core security references, the infrastructure around it has made impressive strides recently.
In August 2005, the National Institute of Standards and Technology (NIST), Gaithersburg, Md., launched the National Vulnerability Database (http://nvd.nist.gov/), which is updated in real time with the latest CVE descriptions plus enhanced analysis, a database, and fine-grained search capabilities.
"In the past couple of years, we've seen a combining of all these efforts, and it's absolutely great to have all that information in one spot," Pesce says. "To me, the CVE and NVD reference is sort of the Rosetta Stone of threats and vulnerabilities, and a good number of the vendors haven't really realized that, or realized the value of that."
Pesce says the CVE-compatible automated penetration testing tool he uses (Core Impact from Core Security, Boston) has saved Care New England — which includes three hospitals, community wellness centers in Providence and Warwick, R.I., and a visiting nurses' association — the cost of hiring one to two full-time network administrators. Pesce says the organization's senior management decided it wanted complete penetration testing of all network resources every quarter to meet Health Insurance Portability and Accountability Act (HIPAA) security due diligence requirements. To do that manually, he says, would have been a monumental task, and also quite dangerous, as homebrewed penetration tests might very well bring a network down accidentally.
Pesce's cost-savings analysis is backed by another industry veteran. Billy Austin, chief security officer of Saint Corporation, Bethesda, Md., which recently introduced a CVE-compatible integrated vulnerability scanning and penetration testing tool, says his company's research shows users who take advantage of the CVE reference infrastructure save an average of 2.5 hours of staff time over doing Internet searches for any given vulnerability's attack vectors, likely impact of an exploit, and remediation steps.
Considering that the latest estimate of vulnerabilities stands at about 17 newly discovered ones per day, according to NIST senior computer scientist Peter Mell, those hours can add up quickly.
Where's the momentum?
Mell, the NVD project lead and creator, says the new NVD/CVE capabilities are a significant step ahead for network administrators.
"End users need a way to prioritize the constant stream of vulnerabilities that are coming out," Mell says. "IT organizations need to know the answer to, 'Do I panic right now?' or, 'Can this be part of my usual configuration management update I can do in two weeks?' By integrating the NVD and CVE, we've made a significant step toward helping people to do that.
"But — and it's a big but — what we're doing is helpful, but not revolutionary in terms of how the industry does things."