As more and more businesses move online, it’s increasingly important to guard against security threats.
Although we all know that cyber-attacks are common, it can be tricky to determine which parts of your system are vulnerable to hackers.
Yet one in three breaches takes place as a result of unpatched vulnerabilities—so it’s crucial to find out where the weaknesses are and take action to fix them.
That’s why an accessible list of common problems and dangers is so useful to organizations – which is where CVE comes in.
In a moment we’ll explain exactly what CVE is, but first, let’s look at what we mean by vulnerabilities and exposures.
What are vulnerabilities and exposures?
In cybersecurity, a vulnerability is any weakness in a computer system that could be exploited in a cyber attack.
It could allow an attacker to gain unauthorized access to the computer system and perform malicious actions—such as accessing system information, installing malware, or stealing, destroying, or modifying data.
There are many different types of vulnerabilities and each one has a different level of severity, depending on how dangerous the outcome is in the event it is exploited.
For example, a weakness in your customer support artificial intelligence system could lead to customer data being compromised.
An exposure is a mistake in software code or a configuration issue that allows an attacker to access a system or network.
Examples include running services for information gathering, running services that are a common attack point, and using applications that could be attacked by brute force methods.
Attackers don’t have direct access, but exposure is typically a component of an attack that violates a security policy.
It often leads to a data breach or leak, with some of the world’s largest data breaches caused by accidental exposure rather than sophisticated cyber attacks.
CVE is a reference list of these vulnerabilities and exposures.
What exactly is CVE?
CVE stands for Common Vulnerabilities and Exposures. It’s a free directory of publicly-known vulnerabilities and exposures in software.
This helps organizations identify potential problems in order to improve their cyber security and data protection methods.
CVE was launched in 1999 by the MITRE corporation to identify and categorize vulnerabilities in software and firmware.
MITRE is a nonprofit organization that runs federally-funded research and development centers in the United States. It maintains the CVE list and website, as well as the CVE Compatibility Program.
CVE is sponsored by the US Department of Homeland Security (DHS), the Cybersecurity and Infrastructure Security Agency (CISA), and the US-CERT.
How does CVE work?
CVE assesses and categorizes vulnerabilities and exposures. It then makes the information publicly available, so that organizations can use this data to protect their systems.
When a researcher or a company spots a new vulnerability or exposure, such as a flaw or design oversight in software or firmware, they submit them for addition to the CVE list. For instance, they might notice a weakness during beta testing in software testing.
CVE investigates potential listings using the Security Content Automation Protocol (SCAP), and researchers may be asked to provide evidence of how the vulnerability or exposure could be used in a cyber attack. The stronger the claim, the more likely it is to be accepted.
Potential CVEs reported by established vendors or other trusted parties are usually added to the CVE list quickly.
Accepted listings are known as CVE entries. Each entry is given a standardized CVE name or “identifier” for a particular vulnerability or exposure.
Each unique identifier follows the same format—the letters “CVE”, the year it was added to the list, and a four-digit serial number. For example; CVE-1999-0067.
Giving a standardized name to each vulnerability makes it easier and faster for security professionals to access information about specific threats across multiple information sources.
Each CVE entry also gets a brief description and a vulnerability report, which helps researchers to find known cyber threats and attack signatures.
CVE identifiers may be assigned by MITRE, but they can also be issued by official CVE Numbering Authorities (CNAs). A request for a CVE identifier can be made for any vulnerability, although CVE gives priority to products, vendors, and product categories of participating CNAs.
What are CNAs?
CNAs are commercial organizations that identify and assign CVE identifiers and distribute them to researchers and security vendors for public announcements of new vulnerabilities and exposures.
There are currently 201 CNAs in 32 countries, including the likes of Apple, Linux, Adobe, IBM, and Microsoft.
CNAs include vendors and projects, national and industry CERTs, and vulnerability researchers. To become a CNA, you must have established vulnerability management practices and a vulnerability disclosure policy.
There are three types of CNA:
- MITRE, which is classed as the “primary” CNA;
- Root CNAs, which cover a certain area or niche;
- and the CERT Coordination Center, an emergency response team that can also assign CVE identifiers.
Root CNAs are often large companies like Apple and Microsoft, who disclose vulnerabilities and exposures in their own products.
What is the CVSS?
Potential CVEs that are judged to have a strong claim will also be given a high Common Vulnerability Scoring System (CVSS) score.
The CVSS assesses the severity and potential impact of a vulnerability and assigns it a score based on that assessment. CVSS scores range from 0.0 to 10.0. The higher the number, the higher the degree of severity.
Is CVE a vulnerability database?
No, it isn’t. Vulnerability databases include risk, impact fix, and other technical information in their entries, whereas CVE does not.
However, CVE is designed to allow vulnerability databases and other tools to be linked together so that you can access more data. It also enables you to make comparisons between security tools and services.
If you want to use an official vulnerability database in conjunction with CVE, you can. For example, CVE is directly connected to the National Vulnerability Database (NVD).
Although they are two separate entities, all entries from MITRE are also available in the NVD. Every time a vulnerability or exposure is reported to CVE, MITRE sends the CVE identifier and a short description to the NVD, which then provides a more thorough security analysis.
Others include the Vulnerability Assessment Platform (Vulners), which is the largest correlated database of vulnerabilities and exploits. It has a regularly-updated database with more than 70 sources.
Meanwhile, the Vulnerability Database (VulDB) documents all security vulnerabilities disclosed for electronic products, and CVE Details uses NVD’s data information alongside sources such as Exploit Database.
Where can I see the CVE list?
CVE is free to use and publicly accessible. The latest version of the CVE list is available at www.cve.mitre.org, and new CVE identifiers are added daily. Anyone can search, download, copy, redistribute, reference, and analyze the list—as long as they don’t modify any of the information.
It can be difficult to know exactly which of the vulnerabilities might affect your organization – after all, the risks to a supplier of cold calling systems are very different to those who handle medical data.
Luckily, there are a number of useful tools that monitor any changes in the CVE list and let you know if you need to address a particular issue. Look out for security tools with CVE compatibility.
Could hackers use CVE to attack my organization?
Well, yes, technically they could. Hackers are smart and getting smarter. But that’s exactly why taking all possible steps to protect your organization is so crucial—and why CVE is helpful.
Because CVE only shares publicly-known vulnerabilities and exposures, it’s pretty likely that hackers know about them already (so CVE isn’t giving the game away). And the list is really useful to help organizations know what they need to look out for.
By making it easier to share information about vulnerabilities and exposures, the whole community is made safer and the risk of an attack is reduced. Overall, it’s agreed by most cybersecurity professionals that the benefits of CVE outweigh the potential risks.
How does CVE protect my organization against cyber threats?
It’s important to note that CVE does not list every single vulnerability and exposure, which would be an impossible task. But, as we said a moment ago, sharing information between organizations is a great way to increase awareness of potential threats.
The centralized list and CVE identifiers mean researchers can quickly scan for a particular vulnerability or exposure, and access information from a variety of sources.
The CVE list is like an early-warning system, helping you to recognize threats and identify weaknesses that could leave your organization open to attack.
CVE also provides a useful benchmark for assessing the strength of your cyber security. And, because CVE enables you to accurately compare different security tools and services, you can use it to help you choose which are the most appropriate for your needs.
So, whether you want to check the security of your internal systems or the safety of your client’s payment information, you can protect customers at all stages of the sales funnel.
Jessica Day – Senior Director, Marketing Strategy, Dialpad
Jessica Day is the Senior Director for Marketing Strategy at Dialpad, a modern multi-channel call center platform that takes every kind of conversation to the next level—turning conversations into opportunities. Jessica is an expert in collaborating with multifunctional teams to execute and optimize marketing efforts, for both company and client campaigns. Here is her LinkedIn.