What are CVEs?
The world of Cybersecurity Vulnerability management is as wide is it is deep. Nefarious actors fighting to infiltrate networks will rip apart common vulnerabilities (CVEs) of the tools used to conduct business and look at every nook and cranny to see how they can get a foot in the door. Thankfully as these exploits are found, they are cataloged and reported so that the community at large can take steps to mitigate their security risks.
One of the largest bodies and catalogs of these vulnerabilities is known as the MITREs CVE List, or Common Vulnerabilities and Exposures (CVE). The CVE List was launched by the MITRE Corporation as a community effort in 1999, to help build a list of known vulnerabilities to help rapidly publicize publicly known threats across the landscape. While the CVE isn’t just another vulnerability database, it is still one of the largest resources for many cybersecurity professionals to use to help mitigate risks across their networks.
This community effort in building a CVE list has many benefits and can help quicken the strengthening of defenses across public and private networks. Since Hackers have easier communication channels to communicate exploits, it is imperative that those protecting networks also build some form of communication system to counteract attacks. CVE enables swift data correlation across multiple sources regarding the vulnerabilities and exploits listed. Knowing the cracks in your armor doesn’t only allow for a path of mitigation and removal of them, sometimes you can’t remove a tool or system, and thus need to find the tool necessary to cover or mitigate the risk in another way.
To follow, Security advisories often include CVEs in them, and knowing how to read and research them further is necessary to further your security posture. You would bake these CVEs into your vulnerability management program and scanners to help identify and monitor for exploitation
Reporting a CVE requires contacting any one of the CVE Numbering Authorities (CNAs), most likely MITRE which is the primary contributor to its own vulnerability database.
It is important to remember that new CVE entries may take time to appear in the MITRE database (upwards of months).This can happen for a variety of reasons:commercial, legal, or staffing issues.
One major consideration in this is that CVE upkeep and tracking is most definitely not the end all – be all for risk management. There are still CVE-less Vulnerabilities. Some start out as Zero Days that haven’t been reported yet or some vulnerabilities and exposures just won’t be reported and cataloged.. So due diligence is still required. Keep in mind that Zero days, or not cataloged or reported events and vulnerabilities, must first affect someone for it to be listed, so looking at heuristics and holistic integration of cybersecurity tools to monitor for Zero days is still a major part of your vulnerability management strategy.
How to Read a CVE:
CVE + Year + 4 Digit serial number
Every new CVE entry receives a unique ID following the above formula:
For example Log4J has the CVE of CVE-2021-44228
CVE numbers are usually given to each new CVE issue by MITRE. However, it is worthwhile noting that MITRE is not the only one. Are other entities known as CVE Numbering Authorities (CNAs) have the authority to create them.
Beyond their unique ID, each CVE receives an entry date indicating when it was created followed by an individual description field and a reference field. If the vulnerability or exposure was reported by another entity, it will be liked and tie together any previous intel before being submitted as a CVE
Linking to technical information about the exposure occurs, and each CVE receives a CVSS score from the National Vulnerability Database, indicating its security severity. The NVD’s security severity ranking helps determine how to react to mitigating the vulnerability and how fast it should be done.
The CVSS score follows a formula made up of several security metrics. The metrics involved in determining the severity of a vulnerability include how access occurs, complexity of attack, confidentiality of data within the system containing the vulnerability, and the integrity of the exploited system, just to name a few.
As mentioned, CVEs and vulnerability lists aren’t the only thing you need to include in your cybersecurity vulnerability management program, but they provide a good layer of protection to filter out the most used exploits used in the wild. Unfortunately for CVEs to be useful, we must also know what we have in our environment. Moving to integrate CVE management into your cyber program (which most companies have been moving to do) not only enables more telemetry but forces a company to put all their ducks in a row, allowing for a more transparent, understood, and manageable path forward for increasing your company’s cybersecurity posture.
Contact us today to speak to an expert and learn how you can protect yourself from vulnerabilities in your organization and other security threats. Be sure to also check in on our blog for updates on today’s cybersecurity news and content on constructing your organization’s cybersecurity program.
Written by: William Sheehy