Page 16 - Cyber Warnings August 2017
P. 16

Don’t be Common When It Comes to Vulnerability Management

               The dangers of over–reliance on CVE and CVSS

               by Marina Kidron, Leader, Skybox Research Lab, Skybox Security

               Effectively managing vulnerabilities in today’s large, complex networks is a monumental
               undertaking. It has been made worse in recent years through the use of antiquated approaches
               that leave portions of the attack surface exposed for too long, or fail to address mid–level
               threats that could enable or prolong an attack.

               Many vulnerability management programs and technologies rely on two standards for
               vulnerability information: MITRE’s Common Vulnerability and Exposures (CVE) program and
               FIRST’s Common Vulnerability Scoring System (CVSS). While both still have a major place in
               vulnerability management, they are two of several pieces in a much larger puzzle.

               The CVE Shortfall

               CVE, the old–guard vulnerability “dictionary,” is falling behind and leaving security teams and
               technologies that rely on it open to risk. According to Joshua Corman’s keynote at this year’s
               SOURCE Boston conference, CVE is covering a little less than 50 percent of all disclosed
               vulnerabilities.

               To be fair, MITRE has made strides in assigning identification numbers to more qualifying
               vulnerabilities. In 2016, the program logged 6,431 CVE IDs. In just the first half of 2017 alone,
               MITRE already surpassed last year’s figure, tallying 6,592 CVE IDs.


               The increase in CVE IDs is likely welcome by the technologies and vulnerability management
               programs that rely on these identifiers. But considering this is less than half the picture of all
               disclosed vulnerabilities, there’s little cause for celebration.

               Moreover, vulnerabilities still play a major role in threat management, but they are not the only
               factor. Malware can be delivered via social engineering, using a crafted macro or other form of
               code execution technique, and do not require a vulnerability. This threat cannot be address at
               all by CVEs, but certainly can’t be left out of threat management programs.

               CVSS and Your Unique Snowflake of a Network

               More than a decade ago, CVSS was developed to help organizations prioritize vulnerability
               remediation. However, due to lack of vendor resources, the dream of CVSS was never fully
               realized and what exists today serves as only a baseline scoring system.

               Even if CVSS had lived up to its potential, its severity scoring would not take into consideration
               the factors of vulnerabilities as they exist in a particular network. Traditional vulnerability
               management approaches do little more than to bridge the gap between the academic
               understanding of a vulnerability’s severity and the real threat it poses to an organization. In fact,
               many simply throw in asset criticality and call it a day. But even considering the asset the
               vulnerability would affect ignores these other crucial factors influencing its severity:
                    16   Cyber Warnings E-Magazine – August 2017 Edition
                         Copyright © Cyber Defense Magazine,  All rights reserved worldwide.
   11   12   13   14   15   16   17   18   19   20   21