Every day, new cyber threats emerge, targeting organisations and systems worldwide. To manage these threats effectively, it’s crucial to understand the core concepts of cyber security and vulnerability identification systems.
This blog post provides a guide to key vulnerability identification systems in cyber security and explains how they interconnect to manage vulnerabilities. It introduces the following terms:
- The Common Vulnerabilities and Exposures (CVE) system
- The National Vulnerability Database (NVD)
- The Common Vulnerability Scoring System (CVSS)
- The Known Exploited Vulnerabilities (KEV) catalogue
- The Common Platform Enumeration (CPE) system
Understanding Vulnerabilities and Exploits
At its core, a vulnerability is a flaw or weakness in a system’s design, implementation, or operation that can be exploited to violate the system’s security policy. These can take various forms, such as buffer overflows, injection flaws, and insecure default configurations.
Take, for instance, the Heartbleed bug, a severe vulnerability in the OpenSSL cryptographic software library. It allowed attackers to eavesdrop on communications, steal data directly from services and users, and even impersonate services and users.
On the other hand, an exploit is a piece of software, a chunk of data, or a sequence of commands that ’exploits’ a vulnerability to cause unintended or unanticipated behaviour. The relationship between vulnerabilities and exploits is akin to that of a lock and a key: the vulnerability is the lock, and the exploit is the key that opens it.
The Common Vulnerabilities and Exposures (CVE) System
The CVE system is a list of publicly disclosed cybersecurity vulnerabilities that standardises the names for all publicly known vulnerabilities and security exposures. Established by MITRE Corporation in 1999, each CVE is named using the format “CVE-YYYY-NNNNN”, where “YYYY” is the year the CVE was assigned or publicised, and “NNNNN” is a unique identifier number.
The NIST National Vulnerability Database (NVD)
The NVD, a product of the National Institute of Standards and Technology (NIST), is a comprehensive database of all publicly available vulnerability data. It includes all the vulnerabilities listed in the CVE system and provides additional information such as impact, remediation, and exploitability. The NVD extends the capabilities of the CVE system by providing more detailed vulnerability metadata and decision support capabilities.
The Common Vulnerability Scoring System (CVSS)
The Common Vulnerability Scoring System or CVSS is a universal standard for assessing the severity of computer system security vulnerabilities. It captures the principal characteristics of a vulnerability and produces a numerical score reflecting its severity. The scores range from 0-10, with 10 being the most severe.
The CISA Known Exploited Vulnerabilities (KEV) Catalogue
The Cybersecurity and Infrastructure Security Agency (CISA), a federal agency responsible for protecting the United States’ critical infrastructure from physical and cyber threats, maintains a Known Exploited Vulnerabilities (KEV) Catalogue. This catalogue lists vulnerabilities that are known to be exploited by malicious cyber actors. This catalogue is a crucial tool for cybersecurity because it helps organisations understand which vulnerabilities are actively being exploited, and which should be prioritised for patching.
The Common Platform Enumeration (CPE) System
CPE is a structured naming scheme for information technology systems, software, and packages. It is a standardised method for classifying and identifying these entities and is often linked with CVEs to help identify vulnerable systems or software. For example, a CPE entry like “cpe:2.3:a:microsoft:ie:7.0.5730.11” would refer to Microsoft Internet Explorer version 7.0.5730.11.
This table summarises and provides examples of the core concepts mentioned:
|Vulnerability||A flaw or weakness in a system's design, implementation, or operation that could allow an attacker to violate the system's integrity, availability, or confidentiality.||Buffer overflow, SQL injection||Exploit||Code, data, or sequence of commands that takes advantage of a vulnerability to intentionally cause unintended or unexpected behaviour on a system.||Malware, ransomware, worms|
|CVE||Common Vulnerabilities and Exposures - publicly available list of known cybersecurity vulnerabilities identified by unique ID numbers.||CVE-2014-0160 for Heartbleed|
|NVD||National Vulnerability Database - contains detailed information on vulnerabilities using CVE IDs.||Provides severity scores and remediation info|
|CVSS||Common Vulnerability Scoring System - provides a way to capture characteristics of a vulnerability and produce a severity score.||Heartbleed scored 5.0/10.0 on the CVSS scale|
|CPE||Common Platform Enumeration - structured naming scheme to identify/classify vulnerable software and systems.||cpe:2.3:a:openssl:openssl identifies OpenSSL library|
|CISA||Cybersecurity and Infrastructure Security Agency - maintains a catalogue of exploited vulnerabilities actively leveraged by threat actors.||ProxyLogon, Log4Shell|
Bringing it All Together
While the different cybersecurity concepts and databases discussed each serve unique purposes, they also interconnect in important ways:
The CVE system provides the base identifier for publicly disclosed vulnerabilities like the Heartbleed bug (CVE-2014-0160). This ID is then leveraged across various databases and systems to universally reference the vulnerability.
The NVD incorporates the CVE ID and contains comprehensive technical data on the vulnerability like severity, impacts, detection, and mitigations.
The CVSS builds on the CVE and NVD to assign a standardised numerical score reflecting the severity of the vulnerability. Heartbleed had a base CVSS score of 5.0 out of 10.
The CPE system utilises a structured naming format that integrates with CVE IDs to specifically identify vulnerable software and platforms.
CISA relies on these underlying CVE identifiers and scores to compile its catalogue of actively exploited vulnerabilities requiring priority attention.
To further illustrate all of this, let’s say a new vulnerability called “X” is disclosed affecting a common server software package.
It would first be assigned a CVE ID, like CVE-2023-1234. The NVD would then catalogue full details on X, including its CVSS severity score of 9.0. CPE entries would precisely identify the affected software versions. CISA could determine X is being actively exploited in the wild and add it to their catalogue, given its critical severity per the CVSS rating. In this way, the different concepts and databases work together to identify X as a high-risk vulnerability requiring urgent action.
As we have seen, CVE IDs provide the foundation for tracking and managing vulnerabilities across multiple databases like NVD, CVSS, and CPE. FractalScan Surface integrates with these standards, leveraging CVE data to scan your attack surface and identify precisely which vulnerabilities put your organisation at risk.
Try FractalScan’s attack surface management platform today and get full visibility of vulnerabilities based on industry-standard CVE identifiers and ratings.