Common Vulnerabilities and Exposures (CVE) is a list of computer security flaws ranked on critical measures to aid individuals and companies with assessing the risk posed by the vulnerability or exposure to yourself. When someone refers to a CVE, you can easily find the vulnerability by searching, and you can easily ascertain the criticality of the risk to your organization due to the structured, consistent review and documenting of the vulnerability or exposure in a consistent fashion. Security warnings issued by vendors or researchers almost always mention at least one CVE ID.
CVE entries are brief, they don’t include technical data, or information about potential impacts or the fixes themselves. Those details appear in other databases, including the U.S. National Vulnerability Database (NVD), the CERT/CC Vulnerability Notes Database, and additional lists controlled by the vendor in question or other cybersecurity organizations. Across these different systems, CVE IDs give users a reliable way to understand unique security flaws in a repeatable fashion.
A related standard for ranking the criticality of a CVE is found in the Common Vulnerability Scoring System (CVSS), a set of open standards for assigning a number to a vulnerability to assess its severity. CVSS scores are listed in CVE, NVD, and CERT advisories. Scores range from 0.0 to 10.0, with higher numbers representing a higher degree of severity of the vulnerability. Many security vendors have created their own scoring systems, as well.
The CVE is managed by the MITRE Corporation, which’s funded by the Cybersecurity and Infrastructure Security Agency (CISA), part of the U.S. Department of Homeland Security.
Should SMB Owners Concern Themselves With CVEs?
Yes. Every SMB should have a process for handling critical vulnerability alerts in order to quickly assess risk and make important, time-sensitive decisions, about how to react. With a Vulnerability Alert Management Process (aka VAMP) in place, you can have a clear guide to when to jump and how high to jump for a given vulnerability or exposure (risk).
Fortunately, CyberHoot comes with a template for organizations to adopt that outlines a VAMP process based on years of “in-the-trenches” responses to vulnerabilities by the co-founders of CyberHoot. Ask your MSP what it might cost to formalize this process for you today.