For Immediate Release

SKYBOX JOINS INDUSTRY EXPERTS IN URGING WIDE-SCALE GLOBAL ADOPTION OF NEW COMMON VULNERABILITY SCORING SYSTEM (CVSS)

Vendor-agnostic language for measuring and addressing network vulnerabilities key in fight against internet threats

LONDON, UK - Sep 23, 2005. Skybox® Security, Inc., the leader in Security Risk Management (SRM), today announced that as a member of the Forum of Incident Response and Security Teams (FIRST) - a not-for-profit network of computer security incident response teams representing government, law enforcement, commercial, education and other organisations worldwide - it has joined industry leaders in urging organisations throughout the global Information Technology (IT) community to test the first Common Vulnerability Scoring System (CVSS). FIRST is hosting and serving as custodian for updates to the CVSS, designed to give security professionals, business executives and end users across industries a standard language for measuring vulnerabilities of networked information systems and prioritising responses.

CVSS was designed by a team of industry-leading companies, including Cisco Systems®, Inc., eBay, Internet Security Systems and Qualys Inc. in support of the U.S. National Infrastructure Advisory Council (NIAC). It is a simple, open, vendor-agnostic system that factors seven base metrics along with time- and environment-dependent metrics in assigning a composite score representing the overall risk presented by a vulnerability.

Avi Corfas, EMEA VP and MD at Skybox Security, said:

"CVSS is a straightforward way to address the issues caused by the numerous incompatible scoring systems currently in place. We are working together to build on the first-generation framework we have developed, and in order to come up with a system that is usable and accepted across the industry we are urging the global IT community to get involved and provide us with feedback. The main goal of FIRST is to design a simple system that everyone can use, that will transform the way that network threats are evaluated and dealt with."

At the initial meeting of FIRST's CVSS Special Interest Group, early adopters of the system including Skybox Security, alongside Assuria, CERT/CC, Cisco Systems, IBM, Internet Security Systems, JPCERT/CC, netForensics, Pentest Ltd., Qualys, Sintelli and Unisys, agreed to test the system and look into applicable usage within their companies. More than 30 governments and vendors were represented at the July meeting in Singapore.

"Through CVSS, the security industry has made incredible progress in creating a common language for understanding vulnerabilities and threats," said Gerhard Eschelbeck, one of the designers of CVSS. "There are already a number of organisations who have committed to CVSS and begun implementation. With the resources and focus of the FIRST team, we'll be able to take this initiative to the next level of widespread adoption."

IT specialists interested in finding out how they can participate and reviewing the CVSS framework and tools to facilitate end-user scoring can visit http://www.first.org/cvss.

About CVSS

CVSS, unveiled on the U.S. Department of Homeland's Security's web site on Feb. 23, 2005, grew out of NIAC efforts to promote a common understanding of network threats. In a report released in January 2004, the NIAC defined a vulnerability as "a set of conditions that may lead to an implicit or explicit failure of the confidentiality, integrity or availability of an information system." The report said that hardware or software design flaws, botched administrative processes, lack of information-security awareness and education and/or failure to adhere to current practices could cause vulnerabilities. The effects, reported the NIAC, could include:

• one user's posing or being able to execute commands as another
• the ability to access data beyond specified permission levels
• abnormal denials of service, unauthorised destruction of data (either intentionally or inadvertently)
• exploitation of encryptions' weaknesses

Different systems for scoring vulnerabilities are in use today. Frequently "home-grown" (developed for specific organisations by their specific IT departments), these systems use different metrics, tend to be Internet-centric, fail to universally accommodate change and do not have provisions for operational environments of varying risk profiles. The CVSS development team sought to overcome these shortcomings and create a system that is freely available and simple to use by anyone, in any operational environment, for measuring any potential vulnerability. The metrics weighed in the CVSS formulas include impact to system availability, data confidentiality and integrity, as well as the vulnerability's exploitability and potential for collateral damage.

NIAC is chartered to provide policy advice to the president of the United States. As it looked at the need for a global vulnerability-reporting framework, the NIAC recommended development of a common scoring system, which resulted in CVSS. Both the vulnerability disclosure framework and CVSS are suggested for global users. The NIAC published those reports as a public service, pulling out specific recommendations for the U.S. president. NIAC reports are available at http://www.dhs.gov/niac/.

About FIRST

FIRST believes that a global approach toward adoption of the new standard is the best strategy. FIRST is uniquely qualified through the international collaboration occurring within the organisation on a regular basis to both promote the adoption of CVSS both inside and outside of its membership and to maintain the standard going forward. As part of its mission, FIRST encourages and promotes the development of quality security products, policies and services and computer security best practices.

About Skybox Security

Skybox® Security, Inc. is the leader of next-generation Security Risk Management (SRM) solutions. The company's flagship product, Skybox® View, is the first enterprise software platform that raises vulnerability assessment, threat analysis, remediation planning and change management to the business risk level where it belongs. By combining business impact analysis and simulation with vulnerability data and network modelling, enterprises can continuously maintain risk-resilient networks, reduce regulatory compliance exposures and shrink the window of exposure from months to hours.

With Skybox View, security professionals can take a disciplined approach to measure business risk exposure, understand effectiveness of remediation alternatives, justify mitigation efforts (ROI) and minimise damage from attacks while lowering operating cost. By enhancing current best practices and internal controls with automated risk management analysis, the security, network and business units can work more effectively as a team. Skybox solutions have been successfully deployed at highly respected Global 2000 companies worldwide.

Founded in 2002, the company is headquartered in Palo Alto, California and is backed by Benchmark Capital, Lightspeed Venture Partners, Carmel Ventures and Mofet Technology Fund. For more information visit http://www.skyboxsecurity.com

PR contacts:
Alex MacLaverty or Becky Kiely
Hotwire PR
020 7608 2500
Alex.maclaverty@hotwirepr.com
Rebecca.kiely@hotwirepr.com