MD3 Common vulnerabilities and exposures Flashcards
The common vulnerabilities and exposures list, or CVE list
The main purpose of the CVE list is to offer a standard way of identifying and categorizing known vulnerabilities and exposures. Most CVEs in the list are reported by independent researchers, technology vendors, and ethical hackers, but anyone can report one. Before a CVE can make it onto the CVE list, it first goes through a strict review process by a CVE Numbering Authority, or CNA.
CVE Numbering Authority or CNA
A CNA is an organization that volunteers to analyze and distribute information on eligible CVEs. All of these groups have an established record of researching vulnerabilities and demonstrating security advisory capabilities. When a vulnerability or exposure is reported to them, a rigorous testing process takes place.
The CVE list tests 4 criteria
First, it must be independent of other issues. In other words, the vulnerability should be able to be fixed without having to fix something else.
Second, it must be recognized as a potential security risk by whoever reports it. Third, the vulnerability must be submitted with supporting evidence.
And finally, the reported vulnerability can only affect one codebase, or in other words, only one program’s source code. For instance, the desktop version of Chrome may be vulnerable, but the Android application may not be. If the reported flaw passes all of these tests, it is assigned a CVE ID.
The NIST National Vulnerabilities Database
The NIST National Vulnerabilities Database uses what’s known as the common vulnerability scoring system, or CVSS, which is a measurement system that scores the severity of a vulnerability.
Security teams use CVSS as a way of calculating the impact a vulnerability could have on a system. They also use them to determine how quickly a vulnerability should be patched.
The NIST National Vulnerabilities Database provides a base score of CVEs on a scale of 0-10. Base scores reflect the moment a vulnerability is evaluated, so they don’t change over time. In general, a CVSS that scores below a 4.0 is considered to be low risk and doesn’t require immediate attention. However, anything above a 9.0 is considered to be a critical risk to company assets that should be addressed right away.
