Below we look at the scope and complexity of CVEs and recommend actions security leaders can take to better understand where risk lies in their digital ecosystems.
Common vulnerabilities and exposures: understanding the difference
First, let’s break down the basics and explore the difference between a vulnerability and an exposure.
A vulnerability is defined as a weakness that can potentially be exploited by an attacker to perform unauthorized actions within a network. Common vulnerabilities include:
- Open ports
- Unpatched systems
- Lack of two-factor authentication.
Last year’s Oracle BlueKai database hack is an example of what happens when a vulnerability – in this case an unsecured server – is exploited.
An exposure is a mistake, such as a misconfigured system or software, that can be exploited by hackers and give them direct control over a system or network. The Capital One data breach is perhaps the most well-known instance of a hacker exploiting a misconfigured web application firewall to gain access to the personally identifiable information of 100 million customers.
Not all vulnerabilities and exposures are created equal
Not all vulnerabilities or exposures pose a security risk. If the vulnerability is on a low-risk asset it is much less likely to pose a significant risk.
Risk is also dependent on how long a common vulnerability or exposure has existed. A security gap which has been identified and quickly addressed poses much less risk than one that goes undetected for days, weeks, or even months.
These factors underscore the need for security leaders to have visibility into their attack surface and the corresponding cyber risk associated with each asset. After all, you can’t secure what you can’t see. With that insight they can prioritize resources and remediation on areas that pose disproportionate risk. They must also continuously assess their cybersecurity posture for new CVEs and identify areas of unknown risk – in the cloud, on-premise, and across their remote workforce, geographies, and subsidiaries.
Vulnerabilities and exposures extend to an organization's third parties
CVEs can be far-reaching, extending beyond the organization to third and fourth parties. To mitigate these security gaps, security teams need continuous visibility into this extended risk landscape. Annual audits or assessments only provide a point-in-time view of cyber risk. To prevent a supply chain attack like the SolarWinds hack, organizations must continually monitor third-party risk for the lifecycle of their vendor and partner relationships.