Vulnerabilities

No piece of software is perfect. There are flaws in every program, which can range from minor irritating bugs to dangerous vulnerabilities that could be exploited by bad actors. The Common Vulnerabilities and Exposures (CVE) and US National Vulnerability Database (NVD) is a compendium of all the major, publicly disclosed computer system security flaws.

These function as tools which can help organizations to improve their cybersecurity. It does this by filling them in on a list of known cybersecurity vulnerabilities — including an ID number, description, and public reference — that could allow hackers to break into a system and carry out malicious actions. These could include accessing system memory, installing malware, running code, modifying data, and more.

CVE records are utilized as a key part of cybersecurity services and products all over the world, making it an incredibly useful tool for everyone from vendors to researchers (and, ultimately, to users.)

But CVE on its own doesn’t solve the problem of vulnerabilities any more than, for instance, a police bulletin listing local criminal offences solves the problem of crime. While people are increasingly aware of the inherent dangers in software vulnerabilities, that alone doesn’t comprehensively stop them from happening.

The number of vulnerabilities is increasing

The number of vulnerabilities in software continues to increase over time, as do hacker attempts to exploit them for nefarious purposes. This has been particularly pronounced during the recent coronavirus pandemic, with users more reliant on computer infrastructure than ever for remote working and learning.

Although the first quarter of 2020 lagged behind 2019 in the number of vulnerabilities recorded (in this case, lagging behind is a good thing), the rest of the year saw the number of vulnerabilities surge.

Unpatched vulnerabilities can be extraordinarily damaging in their effects as they open up opportunities for bad actors to carry out anything from data theft of sensitive internal information to ransomware attacks to web skimming incidents that steal customer credit card information. One survey carried out by the Ponemon Institute suggests that close to 60% of all data breaches are the result of unpatched software.

The risks of unpatched vulnerabilities 

In many cases, organizations (and security vendors) rely entirely on CVE records when it comes to intelligence surrounding vulnerabilities. That in itself is an error as CVE records are not comprehensive, and may miss out on certain vulnerabilities, no matter how much it attempts to be an authoritative tool.

It also, by definition, misses out on Zero Day exploits. This term refers to vulnerabilities that have not been disclosed to software developers so that they can be plugged, meaning that they could be exploited by attackers before people are even aware that there is a problem.

There is additionally a challenge when it comes to patching software. Growing numbers of vulnerabilities also means a growing number of patches and updates that users must install to be safeguarded against them. This in itself can be a difficult and time-consuming activity. Keeping on top of vulnerabilities can be a multi-person, full-time job — and vulnerabilities can still slip through the cracks. In the aforementioned Ponemon Institute survey, 34% of respondents said they were aware that their computer systems were vulnerable to attack prior to the attack itself taking place; they just hadn’t fixed the problem.

Protecting against the right way

Fortunately, the tools exist to help protect against security vulnerabilities. Tools such as Web Application Firewalls (WAFs) and Runtime Application Self-Protection (RASP) can help safeguard against some of the potential incoming threats that may come from attackers exploiting vulnerabilities, filtering out malicious inputs and request payloads. Virtual patching is a particularly powerful tool to have in your arsenal.

Rather than waiting for an official patch to be released and installed, virtual patching works as, essentially, a series of rules which block bad behavior before it becomes a problem. It is sometimes referred to as proximity control, able to stop threats in their tracks before they have the chance to inflict any damage.

Virtual patching can also respond incredibly quickly to malicious behavior, making it an invaluable first line of defense against vulnerabilities.

Be smart about vulnerabilities

There is no one-size-fits-all solution to the problem of software vulnerabilities. Organizations and users need to be aware of the problems they can face, and not blindly trust that either the tools they rely on are immune to attacks or, in some cases, that just plugging vulnerabilities listed on Common Vulnerabilities and Exposures (CVE) and US National Vulnerability Database (NVD) is enough to guarantee safety. Installing firmware updates is essential, although it’s easier said than done — particularly when it can result in system downtime.

It’s for this reason that virtual patching and the like are valuable assets — and ones you won’t regret having at your disposal. After all, just because a vulnerability exists does not have to mean that your organization is itself among the vulnerable ones.