Contents:
CVEs are an integral part of managing vulnerabilities. You might have heard the acronym thrown around before, but what does it stand for and what makes them important?
What Is a CVE?
CVE stands for Common Vulnerabilities and Exposures, and it refers to a database containing publicly disclosed information security vulnerabilities and exposures.
The system is actively maintained by the United States’ National Cybersecurity FFRDC, which is run by the MITRE Corporation.
With the latter being a not-for-profit organization, CVE relies on funding from the US Department of Homeland Security’s National Cyber Security Division to operate.
The Difference Between Vulnerabilities and Exposures
Vulnerabilities are a system of flaws that created weaknesses in the infrastructure which a cyberattack could exploit. They can consist of anything from unpatched software to an unprotected USB port.
When left unattended, they can allow cybercriminals to access system memory, install malware, run malicious code, or even steal, destroy, and modify confidential data.
An exposure represents a single instance when an organization’s system is endangered.
Commonly described as a simple mistake, it opens an organization to various instances of cyber-harm.
Examples include, but are not limited to
- data leaks
- data breaches
- personally identifiable information being exfiltrated and sold on the Dark Web.
An overwhelming majority of security incidents are caused by exposures rather than well-thought-out exploit plans.
The History of the CVE System
The initial concept of what would later become the CVE database originated in a whitepaper entitled Towards a Common Enumeration of Vulnerabilities penned by co-creators Steven M. Christey and David E. Mann of the MITRE Corporation.
The duo presented the piece at Purdue University’s 2nd Workshop on Research with Security Vulnerability Databases that took place in January 1999.
Starting from there, Christey and Mann put together a working group that would later become the 19-member CVE Editorial Board, and put together an original CVE list of 321 records.
In September 1999, the roster became publicly available, and thus the system as we have come to know it today was born.
From the launch of the CVE list in 1999, multiple companies in the cybersecurity community endorsed the initiative with compatible products. By December 2000, a total of 29 organizations were participating in the initiative with their 43 companion offerings.
In addition to this, the CVE database was used as the starting point for multiple entirely new products, such as NIST’s U.S. National Vulnerability Database (NVD).
Over the years, the system continued to grow and is still doing so today, ever since the inclusion of new CNAs in 2016. Thus, the initiative expands with every organization that joins MITRE as a collaborator.
The complete list of partners can be found over at CVE.org.
How Are CVEs Determined?
When it comes down to how a CVE is determined, there is a simple rule of thumb you need to remember – all CVEs are flaws, but not all flaws are CVEs. A flaw is declared a CVE when it meets three very specific criteria:
- The flaw can be fixed separately of any other bugs.
- The software vendor acknowledges and documents the flaw as hurting the security of its users.
- The flaw affects a singular codebase. Flaws that affect multiple products are assigned several CVEs.
Every flaw determined to be a CVE is then assigned a number called a CVE Identifier, or CVE ID. These IDs are assigned by one of over 220 CVE Numbering Authorities, or CNAs for short, from 34 countries.
According to MITRE, CNAs are represented by a variety of organizations, from software vendors and open source projects to bug bounty service providers and research groups.
All these entities are authorized to assign CVE IDs and publish records of them by the CVE Program.
Associations and businesses from a multitude of industries have joined the CNA program over the years. The requirements to do so are minimal and don’t involve a contract or monetary fee.
The international standard for CVE IDs is that of CVE-[Year]-[Number]. Naturally, the [Year] portion represents the year when the vulnerability or exposure was reported.
The [Number] is a serial marker assigned by the respective CNA.
What is a CVSS Score?
The CVSS (Common Vulnerability Scoring System) represents a numerical interpretation (on a 0-10 scale) of the severity of a CVE.
Infosec teams frequently employ CVSS ratings as part of their vulnerability assessment process to prioritize the fix of high-risk vulnerabilities.
How Many CVEs Are There?
Thousands of new CVEs are published every year since the program was founded in 1999. At the moment I am writing this article, the official CVE.org website reports a total of 177,353 CVE records on the list. That boils down to an average of 7,711 vulnerabilities and exposures per year, but the reality of the last few years is that that number is almost double, with as many as 15,000 new CVEs reported.
Out of the over 177,000 CVEs currently on record now, more than half belong to the world’s top 50 software vendors. For example, companies such as Microsoft or Oracle both have more than 6,000 flaws reported in their products.
Why Are CVEs Important?
The CVE Program was created to simplify the sharing of information about known vulnerabilities among organizations.
This is possible because the aforementioned CVE IDs give cybersecurity professionals the option to easily find information on flaws in various reputable sources by using the same denominator across the board.
With this system in place, organizations are encouraged to constantly update their security strategies according to the newest vulnerabilities and exposures that appear.
In addition to this, the CVE list is a strong baseline for businesses to evaluate the coverage of the solutions they use and decide whether to invest in more robust defenses or not.
Using CVE IDs is also a preferred course of action in not only cyberattack prevention but also in detecting and responding to system vulnerabilities.
By looking up CVE IDs when an issue is detected, organizations can gain accurate information on a particular exploit rather quickly from several certified sources, allowing them to prioritize its mitigation properly.
Can Cybercriminals Exploit CVEs?
Unfortunately, just like organizations can use CVEs to their benefit, so can cybercriminal groups.
When vulnerabilities become known to the general public, there is a window between their publishing and their mitigation across all software users that hackers can exploit.
However, the benefits of CVEs far outweigh their drawbacks. For one, the list is restricted to known vulnerabilities and exposures only.
On top of that, sharing information within the cybersecurity community is one of the surest ways to reduce cyberattack vectors when combined with robust cybersecurity solutions that back this knowledge up.
How Heimdal Can Help You Patch CVEs
At the end of the day, the CVE list is just that – a list. But when it comes to preventing attacks the speed execution in patching CVEs matters the most.
The longer the time, the higher the risk of being exploited. Your company’s cybersecurity strategy should always take into account the latest threats, but that means you need a strategy to begin with.
When it comes to mitigating and handling vulnerabilities, Heimdal Patch & Asset Management can provide a swift response.
A completely automated patching solution and software inventory management tool, it allows you to deploy updates for Microsoft and Linux OS, as well as 3rd party and proprietary software, as soon as they are released.
In this way, you are not only steering clear of CVEs, but you are also minimizing the window of opportunity for cybercriminals to exploit those vulnerabilities.
Heimdal Patch & Asset Management is designed to work with minimal interruptions and optimized scheduling efficiency for increased productivity and fewer disruptions for your employees.
Heimdal® Patch & Asset Management
- Create policies that meet your exact needs;
- Full compliance and CVE/CVSS audit trail;
- Gain extensive vulnerability intelligence;
- And much more than we can fit in here...
Final Thoughts
Keeping up with the latest vulnerabilities and exposures is just the first step. Automated patching is the natural continuation. Thus, if you want to keep your enterprise safe, make sure to invest in a strategy that puts constantly updating software at the forefront. Only in this way you can efficiently prevent most cyberattacks.
Heimdal Patch & Asset Management might be the right solution for you. For more information, feel free to contact sales.inquiries@heimdalsecurity.com.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.