Risk mitigation; Organizations to maintain in depth defence over CVE

risk mitigation

While the number of security breaches reached the top record in 2020, system administration of organizations has been warned not to focus only on high-scoring CVEs during the patch process.

CVE (Common Vulnerability Exposures) is a list of security flaws which are publically disclosed. When an organization refers to a CVE, this means a security flaw has been assigned a CVE ID number.

CVE was launched back in 1999 by MITRE Corporation to identify and classify the vulnerabilities in firmware and software. CVE acts as a free dictionary to analyse and improve their cyber security.

According to security researchers, organizations should focus beyond CVSS score while assessing the threat posed by security vulnerabilities.

On the basis of a survey on more than 18,000 vulnerabilities conducted by the US National Institute of Standards and Technology (NIST) in 2020, one of the firms “Redscan” intended to take ‘low risk’ vulnerabilities seriously.

2020 was the year where more vulnerabilities were revealed. At an average of 50 CVEs was reported per day.

Under the category of ‘Common vulnerability scoring system’, Redscan found that about 57% of the vulnerabilities were classified under critical or high severity and these 57% of the exploitation has tend to receive more attention from the security teams.

Also the count of low complexity CVEs is on the rising scale, totalling to 63% of vulnerabilities reported in 2020.

Redscan adds that more complex high severity vulnerabilities are yet to be explored since the attacker should have access to high privileges to exploit them.

Probability business

George Glass, threat intelligence head of Redscan said that, “Just because a vulnerability is categorized as high risky, it doesn’t necessarily mean that it poses a greater risk than one that has medium severity.”

“In depth defence is very important and this is also true in deciding which vulnerability to patch, For example, low threat exploitation and facing appliance could be of a greater risk than a high threat vulnerability which deploys skilled adversary to exploit.”

Meanwhile a chain of low risk vulnerabilities could make them dangerous and might immediately be apparent.

As per Glass, a single vulnerability could provide a hacker with a low privilege shell on the host.

The attacker can move further to exploit another vulnerability in making them to be the root or to proceed with the technical moves to achieve their real objectives, whether installing a ransome or stealing information.

The vulnerability chain

During 2019, Redscan witnessed several changing vulnerabilities in the networking technology.

Among them included Fortinet and Mobileiron devices with Zerologon vulnerability that allowed the hackers to move from a low privileged account to the network edge and achieve the administrator access to the entire domain.

But more surprisingly the security team of Redscan found a decrease in the percentage of vulnerabilities that require no privileges to exploit that is from 71% in 2016 to 58% in 2020.

Meanwhile, the reports from the Edgescan’s vulnerability stats discloses that two third of the CVEs found in 2020 were way old and half of them dating back from 2015 or before.

Malwares are targeting old vulnerabilities that can easily be patched.

Glass demands to be cautious while using automated scanning tools to find out security flaws. He also warns that without the complete context they can give a misleading picture.

A successful way to improve vulnerability management is to keep a record of what is happening in the threat landscape. This can also help to prioritise specific vulnerabilities that pose a greater risk to the organization at any point of time.

8 comments

  1. Your article made me suddenly realize that I am writing a thesis on gate.io. After reading your article, I have a different way of thinking, thank you. However, I still have some doubts, can you help me? Thanks.

  2. Hey! I know this is sort of off-topic however I needed to ask.
    Does managing a well-established website like yours take a massive amount work?
    I am completely new to writing a blog but I do write in my diary on a daily basis.
    I’d like to start a blog so I can easily share my personal experience and
    views online. Please let me know if you have any recommendations or tips for brand new aspiring bloggers.

    Thankyou!

    Feel free to surf to my web site :: 온라인카지노

  3. Pingback: rajabandarq
  4. Pingback: เย้เย้
  5. Pingback: more info

Leave a comment

Your email address will not be published. Required fields are marked *