Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Documentation Search

    Understanding Our Approach to Addressing Known and Unknown Vulnerabilities

    This topic includes the following sections:

    Known Vulnerabilities

    Known vulnerabilities are those documented within the Internet security community. The Internet security community comprises several security organizations, security analysts, and security forums. The security community continually discovers and analyzes new attacks and exchanges this information over the Internet. In this way, they can quickly locate, identify, and truly understand an attack.

    Some security advisories include the actual attack code. You can use the attack information and the attack code to capture packet information and service contexts. You can use this information to create a custom signature attack object.

    Unfortunately, most advisories do not post the attack code with the attack description. If you cannot obtain the attack code, read the advisory carefully and try to reconstruct the basics of the attack packet.

    Caution: Remember to isolate code acquired from unknown sources.

    The following organizations are active in the security community and are a good resource for locating attack information:

    • NVD—National Vulnerability Database (http://nvd.nist.gov). The U.S. government repository of vulnerability management data represented using the Security Content Automation Protocol (SCAP).
    • SANS—SysAdmin, Audit, Network, Security Institute (www.sans.org). An information security research, certification, and education organization that provides security alerts. Also hosts the Internet Storm Center (ISC) at http://www.incidents.org.
    • CVE—Common Vulnerabilities and Exposures (http://cve.mitre.org). A standardized list of vulnerabilities and other information security exposures.
    • BugTraq (http://securityfocus.com/archive/1). A moderated mailing list hosted by Security Focus that discusses and announces computer security vulnerabilities.
    • CERT coordination center (http://www.cert.org). A federally funded security alert organization that provides security advisories.
    • Packet Storm Security (http://packetstormsecurity.nl). A nonprofit organization of security professionals that provides security information by way of security news, advisories, forums, and attack code.
    • Metasploit (http://www.metasploit.com). Metasploit provides useful information for performing penetration testing, IDS signature development, and exploit research.
    • FrSIRT—French Security Incident Response Team (http://www.frsirt.com). FrSIRT is an independent security research organization providing security advisories and real-time vulnerability alerting and notification services.
    • ISS—Internet Security Systems (http://www.iss.net). An Internet security company that provides alerts and Internet threat levels.

    Unknown Vulnerabilities

    Unknown vulnerabilities are those that have not been documented in Internet security community advisories. In these cases, the IDP Series Profiler, firewall, or IDP security event logs generated in your production environment alert you to suspicious activity and abnormal traffic. In your production environment, you will use packet logging tools to capture packets and service context information that you can later analyze and experiment with in your lab.


    Published: 2011-02-08