• XRATOR
  • Contact Us
  • Privacy & Policy
Conquer your risk
  • Home
  • Articles
  • News
  • Research
  • State of the art
No Result
View All Result
  • Home
  • Articles
  • News
  • Research
  • State of the art
No Result
View All Result
Conquer your risk
No Result
View All Result
Home Vulnerability & Weakness

Why CVE Is Not A Good Vulnerability Management Strategy

All vulnerability with a high CVSS means they are really exploitable. Prioritizing vulnerabilities require to be attacker-centric.

Gert Van de VenbyGert Van de Ven
December 15, 2022
in Articles, Vulnerability & Weakness
1
Why CVE Is Not A Good Vulnerability Management Strategy

Any business that has an online presence should comprehend the fundamentals of vulnerability and exploitability. There is no such thing as absolute security; there will always be a new, unanticipated danger, persistent vulnerability, or unexpected flaw. Both human factor and technical stack can make an organization vulnerable to attacks. It is impossible to eradicate every single attack opportunity.

However, it is not necessary to be faster than the assailant. The important thing is to be smarter than them. The main goal is to reduce the attack surface as much as possible, by first limiting vulnerabilities and then defending against exploits as mentioned above. This two-edge strategy will make sure that attackers find your organization a less attractive target, and that is the ultimate goal.

Vulnerability versus Exploitability : Sinews of War

Being aware of the distinction between vulnerability and exploitability can be beneficial when it comes to defending your system. This knowledge can enable you to focus on those vulnerabilities that can do real harm to your business (i.e., exploitability). It helps to keep your systems more secure by prioritizing vulnerabilities mitigation.

After identification and testing, any potential security vulnerabilities are added to the MITRE CVE glossary, a public catalogue. NIST, the National Institute of Standards and Technology, then examines the vulnerabilities, and all related data is included in the NIST National Vulnerability Database (NVD). In order for a flaw to be categorized as a CVE vulnerability, it must meet a prescribed set of requirements:

  • Independent: The vulnerability can be fixed on its own without prerequisites of fixing other issues.
  • Acknowledged: The software supplier know the vulnerability and recognize its risk.
  • Proven risk: Evidence are attached to the vulnerability to prove its impact on security.

The CVSS is one of several ways to measure the impact of vulnerabilities, which is commonly known as the CVE score. This score between one and ten is designed to give an idea of how dangerous is the vulnerability.

The National Institute for Standards and Technology reported that in 2021, there was an all-time high of 20,158 vulnerabilities found. This was the fifth consecutive year that the number of vulnerabilities had increased and it is likely that this trend will continue into 2022. It is impossible to fix 20,000 vulnerabilities in one year, and it would be unwise to try and do so.

Visualization of the number of CVE released each year, broken down by its CVSS severity (source: NIST)

It might not make sense at first, but there are logical explanations for why it isn’t. One explanation is that current studies show that only 2.7% of CVE can actually be used by attackers. Various factors can explain why certain vulnerabilities discovered through security scanners and pentesters may not be that easy to exploit and therefore, do not present a notable risk:

  • No exploit: If attackers wants to take advantage of the vulnerability, they will have to code themselves an exploit code. This reduce hugely the likelihood of the vulnerability to be exploitable by cybercriminals.
  • Network Access: The vulnerability can be leverage, but in a specific context it may not always be at the adversary fingertips. It may be behind layers of firewalls or in an airgap network.
  • Complexity: The vulnerability is not easily exploitable and requires a lot of conditions to run smoothly.
  • Stability: The exploitable is very random and may cause crash without doing harm to the system.

Patching all vulnerabilities is not a wise use of time for those who already have plenty of duties. Additionally, even if you did patch every vulnerability in your system, it wouldn’t necessarily mean that hackers would be kept away.

Exploitability versus Exploited: No Mercy Triage

Numerous strategies exist for cyber criminals to breach an organization’s security, and many don’t necessitate a critical CVE or any kind of vulnerability to be successful. Phishing, spear-phishing, social engineering, exposure of credentials, default passwords are just a few of the tactics employed. A good illustration of this is the recent Uber hack which shows that hackers don’t need to resort to the newest CVEs or state-of-the-art techniques in order to compromise a business.

The first thing an attacker wants is that its operation succeed. If social engineering is more likely to work that a cutting-edge technical vulnerability, why bother? In addition, several factors may reduce the appeal of an exploitable vulnerability for an offensive operation:

  • Does the vulnerability have an exploit proof-of-concept ? 
    If yes, then their is more chance to be exploited, because it is less vulnerability research.
  • Does the Proof-of-Concept has been included in offensive framework (Canvas, Metasploit, Elliot or Dsquare) ?
    If yes, then their is more chance to be exploited, because you have a more stable weapon.
  • Does the vulnerability enables Arbitrary Code Execution ?
    If yes, then their is more chance to be exploited, because you can inject your own malicious payload.
  • Does the vulnerability is exploitable via remote access ?
    If yes, then their is more chance to be exploited, because you can take advantage of it without gaining a first access in the network.
  • Does the vulnerability applies to web technology ?
    If yes, then their is more chance to be exploited, because most of companies have an internet presence.
  • Does the exploit code can cause a memory corruption ?
    If yes, then their is less chance to be exploited, because the attacker increase the risk of crash and detection.

Patching is vital for upholding a robust security stance and is an integral part of every security plan. The problem, however, is that many tools currently prioritize solutions based only on the Common Vulnerability Scoring System (CVSS) scores, and what is overlooked is the organizational context; obtaining knowledge on how to differentiate the significant 3% of vulnerabilities from the remainder of the 97%.

Tags: CVECVSSExploitRisk AssessmentRisk Quantification

Categories

  • Cybercrime
  • Malware
  • Vulnerability & Weakness
  • Threat Intelligence
  • Cyber Attacks
  • Cybersecurity
  • Offensive Security
  • Risk Management
  • Cyberdefense
  • Cyber Insurance

Popular News

  • Cybercriminals regularly hack into individual and organization network. They may steal password to sell them on the darkweb.

    4 websites to check if your password is in the darkweb

    0 shares
    Share 0 Tweet 0
  • 10 Essential Tools for IoT Pentesting

    0 shares
    Share 0 Tweet 0
  • Threat Modeling : from Software Security to Cyber Risk Management

    0 shares
    Share 0 Tweet 0
  • 8 TV Shows and Movies about Personal Data Abuse

    0 shares
    Share 0 Tweet 0
  • The Code Knight: Mastering the Craft of Defensive Programming

    0 shares
    Share 0 Tweet 0

"Conquer Your Risk" is a corporate blog for Cybersecurity and Risk Management executives and specialists, sharing XRATOR experts' views on Cybersecurity, Threat Intelligence, Risk Management and Cyber Insurance.

Categories

  • Articles
  • Cyber Attacks
  • Cyber Insurance
  • Cybercrime
  • Cyberdefense
  • Cybersecurity
  • Malware
  • News
  • Offensive Security
  • Research
  • Risk Management
  • Scams
  • State of the art
  • Threat Intelligence
  • Uncategorized
  • Vulnerability & Weakness

Quick Links

  • XRATOR
  • Our Experts
  • Privacy Policy
  • Contact Us

XRATOR® – copyright 2020-2021

No Result
View All Result
  • Contact Us
  • Homepages

© 2018 JNews by Jegtheme.

Manage Cookie Consent
We use cookies to optimize our website and our service.
By closing this windows, you automatically deny non-functionals cookies.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
Preferences
{title} {title} {title}
Manage Cookie Consent
We use cookies to optimize our website and our service.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
Preferences
{title} {title} {title}