DEFINITIONS
In the field of computer security, a vulnerability or flaw is a weakness in a computer system that allows an attacker to compromise the integrity of the system, that is, its normal operation, confidentiality, or the integrity of the data it contains.
Several points to remember:
Weakness can have human origins (e.g., social engineering, reused passwords), technical origins (e.g., outdated software, incorrect configuration), or even architectural origins (e.g., poor segmentation, lack of redundancy in critical services).
It must compromise at least one of the following factors:
Confidentiality: only authorized individuals have access to the data.
Integrity: only authorized individuals or processes can modify the data.
Availability: the information is accessible whenever needed and without delay.
Weakness can be exploited by an attacker, whether internal or external, intentionally or unintentionally.
"This implies that if at least one of these factors is reduced, the threat represented by the vulnerability will be diminished."
SOME KEY TERMS TO KNOW ABOUT VULNERABILITIES
There are some terms to know and understand when talking about vulnerabilities.
EOL - END OF LIFE
The first vulnerability that comes to mind is the "End of Support" (EOL) issue. You will inevitably encounter this vulnerability at least once in your professional life.
This can range from an Android phone that no longer receives security patches to an outdated operating system like Windows 3.1, or even industrial software that still functions but replacing it would be prohibitively expensive.
A good starting point to monitor the obsolescence of your IT infrastructure is to use this website in conjunction with your Configuration Management Database (CMDB).
CVE
CVE (Common Vulnerabilities and Exposures) is a public list of computer security flaws. It provides a unique identifier for each vulnerability in the format CVE-YEAR-UniqueID.
This list is maintained by MITRE with the support of the United States Department of Homeland Security.
Its objective is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities.
When you receive an alert about the presence of CVEs in your infrastructure, it's important to understand that you only have the bare minimum of information. There are no technical details provided, only the targeted software, the affected version, and the existing corrective version if available.
Example:
SCORE CVSS
The Common Vulnerability Scoring System (CVSS) provides a severity rating (not a risk rating) on a scale from 0 to 10, with 10 being the maximum score.
0
None
0.1 to 3.9
Low
4 to 6.9
Medium
7 to 8.9
High
9 to 10
Critical
The CVSS standard is managed by the organization FIRST.Org.
The score takes into account several vectors, such as:
Attack Vector: Describes how an attacker can reach the vulnerable component. For example, whether it requires physical access, local access, or network access.
Attack Complexity: Reflects the level of difficulty an attacker faces to exploit the vulnerability successfully. It considers factors like whether specialized conditions or certain configuration settings are necessary.
Privileges Required: Indicates the level of privileges an attacker needs to exploit the vulnerability. It considers whether the attacker requires no privileges, low privileges, or high privileges on the target system.
User Interaction: Determines if the vulnerability can be exploited without any user interaction, or if user involvement is needed to trigger the exploit.
These vectors collectively contribute to the overall CVSS score, providing an assessment of the severity of the vulnerability and its potential impact on the affected system.
CVSS IN ONE LINE
In an "optimization" perspective, it is rare to find a complete table in alert bulletins; most often, you will encounter a list of characters summarizing the table.
For example, CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N represents the following table:
CVSS Version
3.1
Attack Vector (AV)
Network (N)
Attack Complexity (AC)
Low (L)
Privileges Required (PR)
None (N)
User Interaction (UI)
Required (R)
Scope (S)
Changed (C)
Confidentiality (C)
Low (L)
Integrity (I)
Low (L)
Availability (A)
None (N)
To learn more about CVSS : Common Vulnerability Scoring System Version 3.0 Calculator
CWE
CWE (Common Weakness Enumeration) is a public list of vulnerabilities that can be encountered in software.
This list is maintained by MITRE with the support of the United States Department of Homeland Security.
While CVE focuses on identifying and referencing specific vulnerabilities in software and systems, CWE concentrates on common weaknesses in development and coding practices that can lead to vulnerabilities.
Exemple :
NVD
The NVD (National Vulnerability Database) is the repository for U.S. government vulnerability management data based on standards and represented using the Security Content Automation Protocol (SCAP). These data facilitate the automation of vulnerability management, security measurement, and compliance.
The NVD comprises reference databases of security checklists, software vulnerabilities related to security, misconfigurations, product names, and impact metrics.
Using resources like Power Automate, this type of tool can significantly save time in the day-to-day processing of alerts.
0-DAY
A "0-day" vulnerability refers to a software vulnerability that is unknown to the software vendor or the general community. This means that the software developers are not yet aware of this vulnerability, and no fix or patch has been released. As a result, attackers can exploit this vulnerability without appropriate defense measures being available. The term "0-day" refers to the fact that the attack occurs on the same day the vulnerability is discovered, without any time for the software to be fixed or patched.
KEV
KEV (Known Exploited Vulnerability) refers to a known vulnerability that is currently being actively exploited by attackers. In this case, the vulnerability has already been discovered and reported, and there may be patches or updates available to address the issue. However, despite this, some systems have not yet applied these fixes, and attackers are actively exploiting the vulnerability to compromise these unprotected systems.
To stay informed about KEVs, I recommend subscribing to this website.
Exemple :
EPSS
EPSS (Exploit Prediction Scoring System) is a data-driven system used to estimate the probability of a software vulnerability being exploited in the wild. The EPSS model generates a probability score ranging from 0 to 1 (0 to 100%). A higher score indicates a greater likelihood of the vulnerability being exploited.
This system originates from FIRST, the same organization that manages CVSS.
In the appendix, you will find an Excel file to calculate your EPSS score.
As discussed earlier, the CVSS score tends to have higher values over time because it naturally focuses on identifying the most critical vulnerabilities, those that can be exploited without user interaction and grant maximum privileges.
The challenge arises when everything seems important and urgent to patch due to the high CVSS scores. This is where EPSS comes into play by providing an indication of the probability of exploitation. However, it is important to note that the EPSS scoring system may penalize certain software vendors. No solution is perfect, and understanding the weaknesses of each system is crucial.
For further reading and exploration:
Last updated