Common Vulnerabilities and Exposures Are a Cybersecurity Standard. Here Is Everything You Need to Know About Them.
Vulnerability management is quintessential for a successful cybersecurity strategy, and CVEs are an integral part of it. You might have heard the acronym thrown around before, but what does it stand for?
In this article, we will go through the definition and history of CVEs, as well as why they are important and whether cybercriminals can exploit them or not. So, if you want to find all this out and more, then keep on reading.
What Is a CVE?
The acronym CVE stands for Common Vulnerabilities and Exposures, and it refers to a database containing publicly disclosed information security vulnerabilities and exposures. The system is actively maintained by the United States’ National Cybersecurity FFRDC, which in turn is run by the MITRE Corporation. With the latter being a not-for-profit organization, CVE relies on funding from the US Department of Homeland Security’s National Cyber Security Division to operate.
The Difference Between Vulnerabilities and Exposures
Vulnerabilities are defined as system flaws that created weaknesses in the infrastructure which a cyberattack could exploit. They can consist of anything from unpatched software to an unprotected USB port. When left unattended, they can allow cybercriminals to access system memory, install malware, run malicious code, or even steal, destroy, and modify confidential data.
An exposure represents a single instance when an organization’s system is endangered. Commonly described as a simple mistake, it opens an organization to various instances of cyber-harm. Examples include, but are not limited to data leaks, data breaches, and personally identifiable information being exfiltrated and sold on the Dark Web. An overwhelming majority of security incidents are caused by exposures rather than well-thought-out exploit plans.
The History of the CVE System
The initial concept of what would later become the CVE database originated in a whitepaper entitled Towards a Common Enumeration of Vulnerabilities penned by co-creators Steven M. Christey and David E. Mann of the MITRE Corporation. The duo presented the piece at Purdue University’s 2nd Workshop on Research with Security Vulnerability Databases that took place in January 1999.
Starting from there, Christey and Mann put together a working group that would later become the 19-member CVE Editorial Board, and put together an original CVE list of 321 records. In September 1999, the roster became publicly available, and thus the system as we have come to know it today was born.
From the launch of the CVE list in 1999, multiple companies in the cybersecurity community endorsed the initiative with compatible products. By December 2000, a total of 29 organizations were participating in the initiative with their 43 companion offerings.
In addition to this, the CVE database was used as the starting point for multiple entirely new products, such as NIST’s U.S. National Vulnerability Database (NVD). Over the years, the system continued to grow and is still doing so today, ever since the inclusion of new CNAs in 2016. Thus, the initiative expands with every organization that joins MITRE as a collaborator. The complete list of partners can be found over at CVE.org.
How Are CVEs Determined?
When it comes down to how a CVE is determined, there is a simple rule of thumb you need to remember – all CVEs are flaws, but not all flaws are CVEs. A flaw is declared a CVE when it meets three very specific criteria:
- The flaw can be fixed separately of any other bugs.
- The software vendor acknowledges and documents the flaw as hurting the security of its users.
- The flaw affects a singular codebase. Flaws that affect multiple products are assigned several CVEs.
Every flaw determined to be a CVE is then assigned a number called a CVE Identifier, or CVE ID. These IDs are assigned by one of over 220 CVE Numbering Authorities, or CNAs for short, from 34 countries.
According to MITRE, CNAs are represented by a variety of organizations, from software vendors and open source projects to bug bounty service providers and research groups. All these entities are authorized to assign CVE IDs and publish records of them by the CVE Program. Associations and businesses from a multitude of industries have joined the CNA program over the years. The requirements to do so are minimal and don’t involve a contract or monetary fee.
The international standard for CVE IDs is that of CVE-[Year]-[Number]. Naturally, the [Year] portion represents the year when the vulnerability or exposure was reported. The [Number] is a serial marker assigned by the respective CNA.
How Many CVEs Are There?
Thousands of new CVEs are published every year since the program was founded in 1999. At the moment I am writing this article, the official CVE.org website reports a total of 177,353 CVE records on the list. That boils down to an average of 7,711 vulnerabilities and exposures per year, but the reality of the last few years is that that number is almost double, with as many as 15,000 new CVEs reported.
Out of the over 177,000 CVEs currently on record now, more than half belong to the world’s top 50 software vendors. For example, companies such as Microsoft or Oracle both have more than 6,000 flaws reported in their products.
Why Are CVEs Important?
The CVE Program was created to simplify the sharing of information about known vulnerabilities among organizations. This is possible because the aforementioned CVE IDs give cybersecurity professionals the option to easily find information on flaws in various reputable sources by using the same denominator across the board.
With this system in place, organizations are encouraged to constantly update their security strategies according to the newest vulnerabilities and exposures that appear. In addition to this, the CVE list is a strong baseline for businesses to evaluate the coverage of the solutions they use and decide whether to invest in more robust defenses or not.
Using CVE IDs is also a preferred course of action in not only cyberattack prevention but also in detecting and responding to system vulnerabilities. By looking up CVE IDs when an issue is detected, organizations can gain accurate information on a particular exploit rather quickly from several certified sources, allowing them to prioritize its mitigation properly.
Can Cybercriminals Exploit CVEs?
Unfortunately, just like organizations can use CVEs to their benefit, so can cybercriminal groups. When vulnerabilities become known to the general public, there is a window between their publishing and their mitigation across all software users that hackers can exploit.
However, the benefits of CVEs far outweigh their drawbacks. For one, the list is restricted to known vulnerabilities and exposures only. On top of that, sharing information within the cybersecurity community is one of the surest ways to reduce cyberattack vectors when combined with robust cybersecurity solutions that back this knowledge up.
Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.
Remember, CyberSecurity Starts With You!
- Globally, 30,000 websites are hacked daily.
- 64% of companies worldwide have experienced at least one form of a cyber attack.
- There were 20M breached records in March 2021.
- In 2020, ransomware cases grew by 150%.
- Email is responsible for around 94% of all malware.
- Every 39 seconds, there is a new attack somewhere on the web.
- An average of around 24,000 malicious mobile apps are blocked daily on the internet.
40,272 total views, 3 views today