Running the Free Vulnerability Notification System Cassandra
Author
Pascal C. Meunier and Eugene H. Spafford
Tech report number
CERIAS TR 2002-34
Abstract
The public part of the vulnerability management cycle, publication-notification-patch is of interest to system administrators. We describe the architecture of the vulnerability notification Cassandra system (https://cassandra.cerias.purdue.edu). The timeliness of the notifications was evaluated by using the publication dates of CERT Incident Notes as approximations for the dates when vulnerabilities are widely exploited. We found that notifications sent by Cassandra in 2001 (until November) provided a forewarning of 60 days on average. However, these notifications were not always timely. An analysis of the vulnerability information flow identified sources of undesirable delays. A new Cassandra service, CVE Change Logs, was created to report daily changes to the CVE and bypass some sources of delays. Other efforts by MITRE mitigated other sources of delays and consolidated changes on their web site. An unexpected finding of this study is that the timing and the number of vulnerabilities involved in the method of disclosing vulnerabilities can contribute to notification delays due to the limited processing capacity of intermediates and the finite patching capability of system administrators. We conclude that the large batch processing of vulnerabilities contributes to notification and patching delays and is undesirable. For the same reasons, randomly timed disclosures of vulnerabilities should be undesirable, suggesting the creation of a concerted mechanism for the disclosure of vulnerabilities.
Address
First.Org, Inc., PMB 349, 650 Castro Street, Suite 120, Mountain View, CA 94041, USA
Institution
Purdue University
Publisher
FIRST Conference
Publication Date
1970-11-30
Keywords
CVE, MITRE, ICAT
Subject
Vulnerability notification services