November 10, 2020

Known Vulnerabilities: How to Identify and Contain Your Number One Security Pain Point

35 likes

Judging by the name alone, known vulnerabilities would simply seem to be security gaps that are both clearly visible and easily contained. In reality, that is not the case. Once disclosed to the public, a vulnerability does allow defense measures to be taken against it. Still, it does not stop cybercriminals from devising strategies on how to enter through the loopholes with malicious intent to do harm and steal sensitive data. 
  

What is a Known Vulnerability? 

A known vulnerability is a publicly reported security gap in a system or network that gives hackers a potential entryway to extract sensitive data by injecting malicious code. This activity is known as a data breach. Gartner reports that 99% of vulnerabilities in 2020 will continue to be ones that are known by security and IT professionals.

 

Let’s Count Them Up 

In 2019 alone, 22,316 vulnerabilities were disclosed and published in Risk Based Security’s 2019 Year End Vulnerability QuickView Report. If we do the math, that amounts to 61 per day. Of course, new vulnerabilities do come out in irregular numbers — some days in heaps, while other days just a few — but they do pose the challenge of keeping up with. 

Structured databases were introduced to solve that problem by putting together the vulnerabilities along with their information together in one place. These databases enable businesses to regularly run tests giving greater visibility on whether those vulnerabilities are present in their system and assess their risk level appropriately.
 

Classifying Known Vulnerabilities

The four most common tools used to classify known vulnerabilities and interpret their information, are CVE, CVSS, CWE, CPE, and NVD.

CVE: Launched in 1999 by the US Department of Homeland Security and maintained by The MITRE Corporation, the Common Vulnerability and Exposures (CVE) serves as a virtual reference library to identify and share updates about known vulnerabilities assigning them unique identifiable ID tags and publishing entries describing their vulnerability. 

The CVE’s format can be explained as a dictionary of ID’s. A CVE entry includes a brief description but it does not provide risk level, technical information or advice on how to fix it.

CVSS: Common Vulnerability Scoring System developed by MITRE which assigns scores to the severity of the vulnerability. The total score is split into three distinct scores — Base (a fixed set of details including the attack pathway, complexity, impact); Temporal (time-related information such as length of remediation required); Environmental (sensitivity of the system to the vulnerability). A total score of 0.0 – 3.9 is considered a low severity; 4.0 – 6.9 medium severity; and 7.0 – 10.0 high severity level.

CWE: A classification system known as, Common Weakness Enumeration list introduced by The Mitre Corporation. Each vulnerability has a weakness type, and is assigned its own hierarchical category for easier risk assessment. For example, CWE-285 includes vulnerabilities linked to Improper Authorization.

CPE: A data structure known as Common Platform Enumeration which describes a CVE’s product name and its version ranges. CPE’s are a part of the NVD. A CPE must be included in the NVD database in order to display its information.

NVD: National Vulnerability Database created by the US government, including information on CVEs. The vulnerabilities are exposed through the Security Content Automation Protocol (SCAP).
 

Known Vulnerabilities in Open Source Software  

According to NopSec, there is an average 27-day reporting delay between a CVEs initial discovery and its NVD publication. As the NVD houses CVEs which require a special filing procedure and approval by CVE Numbering Authorities (CNA), this does result in more time and effort required and is a less prominent vulnerability management method with OSS packages.

Some widely-used vulnerability databases in the open source community are Snyks DB, Node Security Project, Rubysec, and Victims DB. 

It’s important to note, that CWE and CVSS can still be used as tools to classify vulnerabilities regardless if they’re linked to a CVE and published in the NVD or not.

 

What is CsRM, and why do you need it? 

CyberSec Risk Manager (CsRM) is a module-based security platform which significantly reduces the risk of known vulnerabilities and improves foresight through live monitoring. As mentioned earlier, two main issues arise when taking the traditional route of vulnerability management through NVD and other vulnerability databases:
 

  • Incomplete vulnerability data. The NDE stores limited information about the vulnerability through codes and classifications giving minimal insight. This does not give organizations the full visibility of the problem at hand.  
  • Vulnerabilities taking a long time to appear. This is usually due to a lack of resources available to research the entries before being submitting for approval to be published. 

 

CsRM solves both challenges by providing:
 

  • Real-time alerts and longterm risk monitoring. The platform notifies you when an alarming risk level has been reachedAnalyze your security posture over time with comprehensive information, so you can make smarter business decisions going forward.
  • Automatic vulnerabilities inventory. All your vulnerabilities will be compiled in a single spot. Easily keep track and control of vulnerability maturity and remediation time for each case. 
  • CI/CD pipeline integration. Whether you use Jenkins, GitLab, or another automated DevOps tool, your vulnerability management and software lifecycle process are streamlined for maximum productivity and responsiveness.
     

Reach out to our cybersecurity experts to discuss how implementing CsRM will help protect your critical business assets and leave you more time for expanding your portfolio and reaching new milestones.

Curious about the latest cybersecurity trends of 2020? Download our brief which highlights this past year’s key findings and statistics from leading security reports.