Since 1999, the National Cybersecurity Federally Funded Research and Development Center (FFRDC) and MITRE Corp. have funded and maintained a database of publicly disclosed information security issues, known as Common Vulnerabilities and Exposures (CVEs). This database simplifies the exchange of information about known and emerging cybersecurity threats, where each vulnerability is assigned a unique CVE identifier, or CVE ID.
This guide can help you better understand how to use CVEs, how they affect your cybersecurity protocols, and how to best protect your business from vulnerabilities. We’ll define key terms and concepts along the way, making it easy to understand. Use the table of contents below to navigate to each topic, or you can read straight through from start to finish.
What Does Common Vulnerabilities and Exposures (CVEs) Mean?
It’s first helpful to know what exactly is contained in the Common Vulnerabilities and Exposures (CVEs) database.
An information security vulnerability is a weakness in an IT system that makes it easier for attackers to gain access to that system – giving the attacker an opportunity to install malware or to steal (and later sell) your data. A vulnerability is akin a hole or a soft spot in the defense wall protecting your systems; attackers will find that weak spot and use various exploits against it, including SQL injection, cross-site scripting (XSS), and buffer overflows.
An exposure is a mistake that allows for a data breach. If a vulnerability is like a hole in the wall, then an exposure is like someone forgetting to lock the gate. If you’ve worked with your stakeholders to create a security policy for both physical and digital threats, then you most likely have already thought about protecting your organization against exposures.
Known vulnerabilities and exposures are logged in the CVE, with knowledgeable experts maintaining existing entries and expanding on new ones. Many cybersecurity platforms integrate with the CVE to keep the most updated version of existing vulnerabilities and exposures available (platforms including ZenGRC).
The Benefits of Common Vulnerabilities and Exposures
One of the biggest benefits of CVEs is that your organization can better understand what vulnerabilities already exist within your CVE-compatible products, allowing you to update software and install available patches before any threat occurs. When considering new cybersecurity protocols or tools, you can quickly check the CVEs to see which products have been reviewed against the database for security issues, making your purchase decision more informed.
Given how bad actors constantly change their tactics to leverage vulnerabilities and exposures more successfully, implementing vulnerability management is crucial for cybersecurity; using a database like the CVEs is part of that. It exists to share information about new threats across organizations. You’ll receive alerts for developing cyber risks, allowing you to plan and improve your cybersecurity protocols in advance of a risk event.
CVEs vs. Vulnerability Databases
The biggest difference between the CVEs and other vulnerability databases, such as the U.S. National Vulnerability Database (NVD), is the type of information available. The CVEs is a list of all publicly known information security issues with their unique CVE name and CVE number, the date they occurred, a brief description of the issue, and any comments pertaining to it.
Other vulnerability databases may provide more contextual information for understanding each threat. The NVD, for example, scores each vulnerability, ranking them by severity of threat. The NVD uses a shared scoring system known as the Common Vulnerability Scoring System, or CVSS.
When trying to understand how to improve your risk management process, your key stakeholders on your information security team will need to access both the CVEs and the NVD for a complete picture of known and developing vulnerabilities and exposures. This information will also be shared with your Computer Emergency Response Team (CERT).
How Are CVEs Determined?
CVEs are most often discovered by third parties working in the cybersecurity space: vendors, users, or researchers. Those discoveries are then reported to a CVE Numbering Authority (CNA), which is a registered and authorized organization that can grant unique CVE IDs to vulnerabilities and add them to the database.
Sometimes, individuals or small teams will report vulnerabilities as a part of a bug-catching incentive, where programmers and engineers discover vulnerabilities and provide patches before the vulnerability is made public in exchange for a reward. MITRE Corp., which manages the CVE list, may wait for some time before making these pre-emptive vulnerabilities public on the CVE website.
Examples of Common Vulnerabilities and Exposures
Some examples of common vulnerabilities include:
- SQL injection. In this type of vulnerability, attackers can inject their own malicious string of code into existing code to manipulate access to data they couldn’t otherwise reach.
- Cross-site scripting (XSS). When a user browses your organization’s website, that can open up a vulnerability for an attacker to use embedded code to hack into the user’s cookies or to deface your website.
- Buffer overflow. A buffer is an allocated block of memory meant to hold a character string. If a program writes over the block of memory, or past the buffer, then it can cause the execution of malicious code.
The most common type of exposure in cybersecurity is a data breach, which often occurs when an internal stakeholder falls for a phishing scam or fails to uphold an authorization protocol. You can think of exposure when major companies like Sony have user account information leaked to malicious third parties. Exposures are often preventable through regular training and security tools within your organization.
All About CVE Databases
Databases for CVE Entries
You can use several different databases for CVEs. The first is the “official” CVE managed by MITRE, but there are others available as well. They include:
- U.S. National Vulnerability Database (NVD), a federal counterpart to CVEs;
- VULDB, a community-managed and sourced vulnerability database;
- The Open Web Application Security Project (OWASP).
Best Practices for Using CVE Databases
MITRE provides these best practices for using the CVEs:
- Search by CVE ID. This is the most effective way to find exactly what you’re looking for within the database. The CVE identifier is usually the year the bug is found, followed by a unique string of digits to identify the vulnerability. These IDs are assigned by CVE numbering authorities.
- Use specific keywords. If you don’t know the CVE ID, use specific keywords, in multiple pairings, to find the issue. Avoid general keywords or searching only one at a time. You can try searching for a bug using the common identifiers like the common name given a newsworthy vulnerability, for example.
- Determine which record is the one you’re looking for. You’ll need to check the CVE entry returned to you in search to see which is the one you actually want. Sometimes multiple records will be returned because not enough information on the issue was initially provided.
- Don’t expect information for fixes or other technical details. The CVE list won’t provide this information because it is simply intended as a baseline. You can use the links provided or search other databases like those listed above.
If you find a bug within your organization, you can report it to a CNA organization for inclusion in the CVE. You’ll need to find the appropriate CNA from the list provided by MITRE. The CNA will assign your bug a unique CVE ID and log the necessary information within the database.
If you’re unsure how to start reporting security vulnerabilities, the U.S. Department of Homeland Security (DHS) provides clear guidelines and instructions for researchers “conducting vulnerability and attack vector discovery activities.” These are guidelines that your CERT should already know, but assuring that training can help decrease the risk for exposure as you explore new ways of finding security vulnerabilities.
You can find more information for protecting your organization against vulnerabilities as well as cybersecurity best practices within the National Institute of Standards and Technology (NIST) and the Cybersecurity and Infrastructure Security Agency (CISA).
Protect Your Business from Vulnerabilities with ZenGRC
You’ll need to regularly monitor and update software to catch vulnerabilities within your organization before a bad actor does. ZenGRC from Reciprocity offers the all-in-one reporting and monitoring tools you need to protect your organization from known and developing vulnerabilities.
Having an integrated and seamless platform for continual monitoring and cybersecurity reporting will make this process that much smoother, offering you key metrics in shareable reports from a variety of information sources. ZenGRC is a CVE-compatible product, scanning multiple vulnerability databases at regular intervals while collecting CVSS scores and searching for patch updates.