Nov 1, 2021
There are infinite vulnerabilities out there that make us susceptible to instances of cyberattack, and as of this year, we’re on track to have identified 20,000 of them. While there’s a whole risk mitigation ecosystem in place, CVE (formerly known as the Common Vulnerabilities and Exposures Program) has played a huge role in establishing a dictionary-esque database with IDs and definitions for each known vulnerability.
On this episode of What That Means, Camille is joined by returning guest Katie Trimble-Noble (Intel - Director, PSIRT & Bug Bounty) to describe the critical nature of CVE in greater detail.
- The origins and evolution of CVE (formerly known as the Common Vulnerabilities and Exposures Program)
- Why CVE matters, and what it does and doesn’t do
- How NVD (the National Vulnerability Database) and CVSS (the Common Vulnerability Scoring System) differ from and apply to CVE
- How risk severity is actually scored
- Who and what CVE Naming Authorities (CNA) are, why they’re important, and the process of becoming one
... and more. Really interesting stuff, so tune in!
*And if you like what you hear, catch an earlier conversation Camille had with Katie in WTM Episode 26: Bug Bounty and Crowdsourced Security; Alexander (RoRo) Romero joins them for a great discussion, and you don’t want to miss it: https://bit.ly/3mv9yVr
The views and opinions expressed are those of the guests and author and do not necessarily reflect the official policy or position of Intel Corporation.
Here are some key takeaways:
- CVE makes up an important part of the mitigation ecosystem, and its main mission is to catalog and identify known vulnerabilities; we can think of it as a sort of dictionary in that it tells you the definitions of vulnerabilities.
- Although CVE does not expand on the severity of vulnerabilities, it does list which ones are in your network; NVD and CVSS help to paint a clearer picture of risk level.
- While ideally everything would be patched, there has to be a hierarchy of priority; that’s what makes CVE so crucial, because it enables system admins to differentiate and decide what to patch first based on risk analysis.
- CVE also helps to identify vulnerabilities in a universally recognizable way.
- Some vulnerabilities can intersect to form an attack chain, which is a common phenomenon that’s often referred to as a “daisy chain.”
- CNAs are vendors, government agencies and research organizations that have a deep knowledge of vulnerabilities because they own a product or have done extensive research on it; these CNAs can publish directly to the CVE Master List.
- There are currently 161 CNAs around the world, one of which is Intel.
- In 2021, 20,000 vulnerabilities are on track to be identified to date.
- There is no cookie cutter response to risk, because the things that get fixed and in what order are dependent upon implementation.
- It’s important for consumers to put pressure on manufacturers to be transparent about vulnerabilities, because in the end, it strengthens the entire ecosystem.
Some interesting quotes from today’s episode:
“Everyone uses CVE. And the reason that you use CVE is when you’re doing your risk analysis to patch management, your system admins need to know what are we vulnerable to so that they can make that risk-based decision of what gets patched first.”
“Really risk is in the eye of the beholder. I can’t say what’s more important for you to patch because you have certain mitigating compensating controls on your end, the implementation end of the user. The implementation really dictates how things get fixed in what order they get fixed.”
“It’s not the mission of the CVE program to really get into some of those kind of theoretical details. It’s more sticking to the mission of the CVE program to identify and catalog those vulnerabilities so that you can enable the user end with the best risk-based program that can be available. It’s all about transparency and truth.”
“There was a lot of back and forth about what exactly is an exposure. So ultimately it was decided that in the best interest of the community, it was better to focus on CVEs in the form of vulnerability identification.”
“The CVE Master List is really just a reflection of the known vulnerabilities; there are an infinite number of vulnerabilities out there.”
“I mean, my Fitbit could have vulnerabilities and that’s not something you saw 10 years ago.”
“I think that we’re going to continue to see a rapid increase in the quantity of vulnerabilities that have been identified. And that’s why it’s so important to have that community based approach, those CNAs, those people who are sitting there cataloging vulnerabilities in their systems.”
“As the consumer, you want to put pressure on your product manufacturer to build a secure product.”
“If you can attack that insulin pump and you can cause an insulin pump to dump all the insulin in one minute, you can kill a person. That is a frightening vulnerability and those kinds of real-world sort of impacts they’re not theoretical anymore. They’re very real today.”
“When you disclose vulnerabilities, you make the overall ecosystem stronger and better and smarter.”