In our previous blog – Patch Tuesday: October 2020, we briefly discussed Common Vulnerabilities and Exposures (CVE) and how software vulnerabilities are catalogued in the National Vulnerability Database (NVD). In this blog, lets dive a bit deeper into how the NVD came into existence and how it helps IT security professionals evaluate and enhance their organization’s security posture.
What Is National Vulnerability Database (NVD) and Who Maintains It?
National Vulnerability Database (NVD) is a comprehensive database of reported known vulnerabilities which are assigned CVEs. It’s operated by the National Institute of Standards and Technology (NIST) and sponsored by the Department of Homeland Security’s National Cybersecurity and Communications Integration Center and by the Network Security Deployment.
When Was the NVD Established?
The NVD was originally created in 2000 and was initially called the Internet – Categorization of Attacks Toolkit or ICAT. It then evolved into the repository of vulnerabilities that it is today.
What Does the NVD Provide?
The NVD provides analysis on CVEs – the catalog of known security threats, and does the following:
- Assigns a Common Vulnerability Scoring System (CVSS) score to each vulnerability
- Determines the vulnerability types – Common Weakness Enumerations (CWE)
- Defines applicability statements – Common Platform Enumeration (CPE)
- Provides various other pieces of information relevant to the vulnerability’s functionality and exploitability – i.e. how an exploitation can be carried out by cyber criminals.
This information can be used by organizations to prioritize the vulnerabilities and the patches they should be deploying to keep their IT infrastructure safe.
What Scoring Information is Provided for Each Vulnerability?
The Common Vulnerability Scoring System (CVSS) is an open set of standards used to assess a vulnerability and assign a severity on a scale of 0 to 10. The NVD provides CVSS ‘base scores’ which represent the innate characteristics of each vulnerability. The severity ratings as per CVSS v3.0 specifications are:
|Low||0.1 – 3.9|
|Medium||4.0 – 6.9|
|High||7.0 – 8.9|
|Critical||9.0 – 10.0|
Common Vulnerabilities and Exposures (CVE)
Common Vulnerabilities and Exposures (CVE) is a standard reporting convention for publicly known security vulnerabilities. Launched in 1999 by MITRE, a government-funded research organization, the CVE catalogs security threats.
Acting as more than a database, CVE enables organizations to set a baseline for their security tools coverage. It allows them to correlate data between vulnerabilities and their security tools services and usage.
What Is the Purpose of CVE?
The main purpose of CVE is to standardize the way a security vulnerability or risk is identified – with an identification number, a description, and at least one public reference. CVE is free to use and publicly accessible. An example of a CVE ID is CVE-2020-16891 which includes the CVE prefix, the year that the CVE ID is assigned or the year the vulnerability is made public and sequence number digits.
The CVE description include details such as the name of the affected product and vendor, a summary of affected versions, the vulnerability type, the impact, the access that an attacker requires to exploit the vulnerability, and the important code components or inputs that are involved.
The CVE reference includes the vulnerability reports, advisories or sources that detail the vulnerability and the exploitation that could occur.
What Is the Difference Between NVD and CVE?
While these two lists/databases are often talked about interchangeably, they are actually separate, though interconnected, entities. CVE is essentially a list of vulnerability entries and NVD is a more robust database that is built upon and fully synchronized with the CVE list so that any updates made to the CVE list appear in the NVD. The NVD also adds the analysis component for each vulnerability, as described above. As per MITRE, the CVE list feeds the NVD. The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (DHS CISA) sponsors both.
How Many Vulnerabilities Are Reported Each Year?
The cyber threat landscape is expanding with the evolution of technology and the number of software vulnerabilities being reported is increasing every year. For example, while there were 6,447 vulnerabilities that were identified in 2016, the number roughly doubled to 12,174 in 2019.
Cyberattacks can be orchestrated using the CVE and NVD database information. So, it is important to patch the vulnerabilities affecting your systems in a timely manner to keep your IT systems and data safe. The severity of the vulnerability helps you decide how to prioritize the deployment of patches in your environment.
Kaseya VSA automates software patch management to remediate software vulnerabilities and keep software up to date. With Kaseya VSA, you can monitor vulnerabilities and see the patch status of your entire IT environment in a single console.