"It's a jungle out there, It's a jungle in here too
You got a tap right on your phone
A microphone and camera checking out everything you do
Call it paranoia, as the saying goes
Even paranoids have enemies…
I could be wrong there, but I don't think so
'Cause it's a jungle out there"
~ Randy Newman - 2004 song
CVEs and Security Information Sharing
Cybersecurity is one of the fastest-growing sectors of the IT industry. Estimates indicate we won't be able to fill all the open positions for a few years. The existing IT workforce is being trained and educated learning security from several aspects. This has led to further definitions of security, common language and terms, and more ways to share security information. There are several levels of security from system administration and access control to flaws in products that are exploited to get around security. Addressing the flaws is the subject of this article.
Flaws or vulnerabilities in products are not new. To move society forward, we developed methods to publish defects or safety issues with products after they are in the hands of the consumer. Almost every country in the world has some sort of recall or notification process. Cars, toys, food, and many other categories have automated notifications of recalls as they are discovered. The exchange of information increases safety for all. Should it impact enough people, it becomes a news event. With maturity, information technology security has established its own publication and notification system called the Common Vulnerability and Exploitation (CVE) program.
CVE Program
In 1999, two individuals from The MITRE Corporation presented a white paper called Towards a Common Enumeration of Vulnerabilities. MITRE is a non-profit corporation chartered by the USA federal government in 1958 to provide independent analysis and technical recommendations in the public interest. MITRE's roots in the labs at the Massachusetts Institute of Technology (MIT) have put it at the center of technology innovation since its inception. As an early major technology center, MITRE recognized the need for a structured vulnerability disclosure program.
MITRE has a financial sponsor with the USA Cybersecurity and Infrastructure Security Agency (CISA) which saw the value of the CVE program. MITRE currently operates several USA federally funded research and development centers (FFRDCs) spanning work with defense, medical, and financial departments. The CVE program is unique in that it has emerged to directly support more than the USA federal government and expanded to involve foreign governments and the private sectors worldwide.
Multiple worldwide technology standards organizations have endorsed and contributed to the CVE program making it a worldwide standard to disseminate information about software, hardware, and cloud vulnerabilities. The managing board of directors along with its members have ensured the non-political nature of the organization. In September 2021, a new independent CVE.ORG website was launched and today the site has over 180 thousand records of vulnerabilities published by organizations from 35 different countries.
CVE records are published by CVE Numbering Authorities (CNAs) worldwide. CNAs are mostly vendors who publish their own CVEs similar to a vehicle manufacturer publishing a recall notice. There are also researchers, government, and other types of CNAs working for the public good and protection. These organizations become CNAs to promote their own product safety and become better global community members. It also helps that Coordinated Vulnerability Disclosure (CVD) laws are being implemented in many countries requiring disclosures.
CVE Process
The process of a published CVE begins with the discovery of a vulnerability. Vulnerabilities do not need to be discovered by the developer or vendor; they can be discovered by anyone. The preferred publishing method is for the developer or vendor to receive the information, review the vulnerability, and then release a fix at the same time they publish the vulnerability. The majority of new CVE records are submitted by vendors, though in cases where the vendor does not acknowledge the vulnerability, the process allows for independent publishing.
A CVE record is assigned an ID such as CVE-2022-12345. All CVE records begin with "CVE" followed by the year and a unique number incrementing by 1 for each submission. CVE IDs are not public when reserved and remain private until the requestor submits all the details and confirms the vulnerability. CVE records contain the product name, versions affected, and details about the vulnerability discovered. Details about the cause and impact of the vulnerability are also included along with remediation and other threat details.
Once published, most vendors' software updates include the CVE IDs resolved in the update release notes. Many vendors also have a way to search their updates for CVEs resolved. Sometimes these CVE security updates are included in new versions which add productivity features. While this makes the vendors’ job easier, dealing with issues from both security patches and new features makes the IT security professional’s job more difficult.
There is an axiom that problems cause change and change causes problems. When change brings either security or productivity, the problems that may come with it are a necessary byproduct. IT Professionals need to constantly review security updates vs. productivity updates to ensure they are keeping their systems safe while adding productivity updates when they are released.
The current CVE database and additional information are available at CVE.ORG. The National Institute of Standards and Technology (NIST) also maintains a vulnerability database that expands on the CVE through ranking and other additional information. It can be found at NVD.NIST.GOV. New languages have also been developed such as the Open Vulnerability and Assessment Language (OVAL) to assist with the submission, extraction, and spread of vulnerability information. Many countries use the CVE data directly or extract the information for their own country-provided databases.
Actions and Resources
To know what you are vulnerable to, every organization should keep a current list of software in use along with versions and where it is installed. Several free and commercial software applications can assist in compiling this inventory. Contact Brightside for recommendations or do an internet search for IT software inventory management which will reveal several options. Diligence is needed as this type of software gains access to many of your systems. Ensure there is not a current CVE on the software you select, though seeing previous CVEs would be a good sign of diligence on the vendors' side.
Inventory software is also available with the feature that will query the CVE database and provide a list of applicable CVEs that relate to your software inventory. Some will also automatically update software to mitigate the issues published in the CVE. Should the software you choose not search for known vulnerabilities, this process can be manually done via search by software title or vendor to review any that apply. Brightside strongly recommends that any security process that can be automated, should be, since it is a non-stop and very repetitive process that software and computers are good at. These automated processes should be monitored by security staff or a managed service provider to ensure smooth and secure results. After all, it is software and itself vulnerable to attack and compromise.
There are other areas to this that need to be addressed. The Industry 4.0 trend with cyber-physical systems and Internet of Things (IoT) devices will not be covered by standard software inventory though these devices exist in your networks. The daunting task of tracking and analyzing every device on your network for updates still requires work and perseverance though, device inventory systems exist to assist in this endeavor. Bundling the two provides the optimal security monitoring structure for an organization. AI is a growing tool being used in this respect.
Exchange of Information
The CVE process allows different vendors and organizations to share information in a common format. The CVE process can take weeks to months once a vulnerability is discovered as it is prudent to wait until an update is available to release the vulnerability. Should a vulnerability become public before a patch is available, any bad actor could take advantage of it.
Another aspect of sharing information has emerged in Information Sharing and Analysis Centers or ISACs. There are several general centers and several industry-specific centers worldwide that have formed over the past several years. The collaboration of members of these centers can prove invaluable to prepare for and monitor current security outbreaks. Discussion of best practices, what tools members have found useful, and general information about what is being seen can be broadcast to members when attacks are happening. There is usually a confidentiality condition for these groups with some data and notifications being anonymized. More information can be found at nationalisacs.org or isacs.eu.
Summary
Cybersecurity is a 24-hour, team effort that requires a security staff to look internally and externally for vigilance. Subscriptions to mailing lists, Twitter accounts, and news sources for the latest security event information are critical. CVEs are one form of alert, though real-time sharing is also a priority. Every organization should have software that inventories applications and devices to ensure you are not operating with known vulnerabilities. Compromises using known vulnerabilities in non-patches software are still in the top 3 ways systems get attacked. Information sharing groups are available to every organization and should be taken advantage of. An internet search or asking your peers should assist in finding these.
It's a jungle out there, it’s a jungle in here too. IT and automation provided a revolution in productivity and societal improvement. These systems we build and manage are capable of great benefit though as we become dependent on them, can become a great vulnerability. With the Internet and its connectivity, Ransomware, Destructionware, and Extortionware attempts are increasing every day. Criminal enterprises, governments, state-sponsored attacks, and even groups with social causes are using hacking to achieve their causes. CVEs, software inventory, and information sharing are but a few of the activities security teams need to keep in their tool chest.
~ Mark Munger - Chief Technology Officer, Brightside Industries Group, LLC
Comments