The main purpose of cybersecurity is vulnerability management. In achieving this goal, specialists are assisted by CVE, which is an integral part of the information security community. You may have already heard this abbreviation, but what does it mean? In this article, we will look at the definition and history of the CVE. Why is CVE important and how do hackers use it and what is CVE?
What is CVE?
The abbreviation CVE stands for Common Vulnerabilities and Exposures and is a database of well-known information security vulnerabilities. The system is actively supported by the US Research and Development Center (Federally Funded Research and Development Centers, FFRDC), which is managed by MITRE Corporation. Since MITRE is a non-profit organization, CVE is funded by the US National Cyber Security Division (NCSD).
The difference between vulnerabilities and impacts
Vulnerabilities are system flaws that create weaknesses in the infrastructure that can be exploited by a cybercriminal. Vulnerabilities can arise from anything from uncorrected software to an unprotected USB port. System vulnerabilities may allow an attacker to:
get access to system memory;
run malicious code;
steal, destroy or modify sensitive data.
Exposures are isolated cases when an organization’s system is under threat. A simple mistake allows you to conduct a cyber attack on an organization. This can include the theft of confidential data, which is then sold on the darknet. Most cyber incidents are caused by information disclosure, not well-designed exploits.
History of the CVE system
The initial concept of the CVE database originated in a 1999 white paper titled “Towards a Common Enumeration of Vulnerabilities”, written by Stephen M. Christie and David E. Mann of MITRE Corporation.
Christie and Mann assembled a working group of 19 specialists and compiled an initial CVE list of 321 entries. In September 1999, the registry became publicly available. Since the launch of CVE in 1999, various information security companies have supplemented the list of vulnerabilities. By December 2000, 29 organizations participated in the initiative with their 43 mistakes.
CVE was used as a starting point for the National Vulnerability Database of the USA ( NVD ) of the NIST Institute . CVE is expanding with each organization that joins MITRE as a co-author. The full list of partners can be found at CVE.org .
How are CVEs defined?
All CVEs are flaws, but not all flaws are CVEs. A flaw is declared by the CVE when it meets three specific criteria:
The flaw can be fixed separately from any other errors.;
The software vendor has recognized and documented the vulnerability as damaging to user security;
The error affects a single codebase. Disadvantages affecting multiple products are assigned multiple CVE.
Each CVE vulnerability is assigned a number (CVE Identifier or CVE ID) by one of the 222 CVE Numbering Authorities (CVE Numbering Authorities, CNA) from 34 countries.
According to MITRE, CNA is represented by various organizations: from software vendors and open-source projects to bug-finding service providers and research groups. All these organizations have the right to assign CVE identifiers and publish records about them under the CVE program. Over the years, companies from various industries have joined the CNA program. The entry requirements are minimal and do not require a contract or a monetary contribution.
The international standard for CVE identifiers is CVE-xxxx-uuuu. [xxxx] — the year when the vulnerability was discovered. [uuuuu] is the serial number assigned by the corresponding CNA.
How many CVEs are there?
Thousands of new vulnerabilities have been published every year since the program was founded in 1999. At the time of writing, there are already 178,569 entries in the CVE list. On average, this amounts to 7,763 vulnerabilities and impacts per year.
Of the more than 178,000 CVE, more than half belong to the world’s 50 leading software vendors. For example, Microsoft and Oracle have reported more than 6,000 flaws in their products.
Why is the CVE program important?
The CVE database was created to simplify the exchange of information about known vulnerabilities between organizations. CVE identifiers give a cybersecurity specialist the ability to easily find information about flaws in various authoritative sources using the same vulnerability identifier.
Moreover, CVE is a reliable base for the company to understand the need to invest in improving protection. An organization can quickly get accurate information about a specific exploit from several certified sources, which allows you to correctly prioritize the problem.
Can cybercriminals use CVE?
When a vulnerability becomes publicly known, a hacker has time to use it for malicious purposes. An attacker can exploit the error until it is corrected by the software vendor.
Information exchange in the information security community is a reliable way to reduce the number of cyber attacks and introduce new solutions to ensure cybersecurity. CVE is a necessary element on the way to improving products and maintaining the protection of users and global corporations.