Reading Time: 3 minutes

3 MINUTE READ

CVEs and What They Mean for SMBs

CVE Graphic
Joe Howland
Joe Howland, Chief Information Security Officer

Each year, thousands of new cybersecurity vulnerabilities emerge. If not properly and immediately addressed, your business will be open to cyberattacks. In 2021, almost 22,000 vulnerabilities were published (Comparitech – 25+ Cybersecurity Vulnerability Statistics & Facts of 2021).

To help keep track of cybersecurity vulnerabilities, the National Cybersecurity FFRDC (NCF) (funded by the Department of Homeland Security and operated by MITRE Corporation) oversees the collection of Common Vulnerabilities and Exposures (CVEs) that are then fed into the US government’s National Vulnerability Database. CVEs were created to identify and create a consistent format for sharing information about security vulnerabilities. This information helps security professionals, software vendors, and organizations ensure that vulnerabilities are patched and shored up to prevent cyberattackers from exploiting these vulnerabilities.

Let’s dive into a few FAQs about CVEs.

What is the difference between a CVE and a cybersecurity attack?

Launched by cybercriminals or other threat actors, a cybersecurity attack is any malicious action that breaches an organization’s or individual’s computer information systems. The goal? To steal or destroy valuable data, gain unauthorized access into a system or network, launch additional attacks, and more.

A vulnerability or an exposure in your IT infrastructure opens the door to cybersecurity attacks.

  • A vulnerability is any weakness in your systems (such as a software vulnerability) that an attacker can exploit to perform unauthorized actions within your systems (such as deploying malware).
  • An exposure is a mistake that an attacker can exploit to gain authorized access into your network. A vulnerability can lead to an exposure—an instance when data or systems are open to attack by a cyberattacker.

Why are CVEs made public?

It does seem counterproductive to have the world’s most damaging information regarding security vulnerabilities made available to anyone on the internet—including cybercriminals. In actuality, the pros of publicizing them outweigh the cons.

When a CVE is identified, it is submitted into NCF’s dictionary. All crucial detail is withheld in these entries, including a CVE’s technical data, impacts, and risks. When the security flaw makes the list of CVEs, it is kept secret for a time so that vendors can fix or provide a patch for the vulnerability. (If a vendor chooses not to address the vulnerability, then researchers can still document it and submit the CVE publicly.)

Then, a CVE is made public and appears in databases such as the National Vulnerability Database, with more details added about how to address the vulnerability. So, even in the case a cybercriminal attempts to take advantage of a CVE to target an organization, chances are that most organizations have already patched or fixed the vulnerability in some form to protect themselves.

Why should SMBs care about CVEs?

We’ve arrived at the question of the hour! No business is too small or too isolated to be unaffected by a cyberattack as a result of a CVE. Large enterprises, global corporations, and governments have all suffered at the hands of a CVE. To think your business can’t be a victim too can be a devastating miscalculation.

Some ways to address CVEs include:

  • Patch Management: Regular patching of systems and software is one of the most important elements of your cybersecurity foundation. Not keeping up on patching opens you up to cyberattackers who exploit known vulnerabilities. That means patching all systems—including easily overlooked systems such as cameras, DVRs, HVAC, etc.
  • Intrusion Prevention System: An intrusion prevention system, combined with the right threat intelligence about CVEs, can help prevent certain cyberattacks from taking place—even before a patch is released.
  • Security Monitoring and Scanning: Constantly scanning for vulnerabilities related to CVEs can help organizations stay ahead of threats—especially with instances where organizations may not realize a vulnerability exists.

Need assistance with cybersecurity vulnerabilities?

For some of you, this may be new information. If that is the case, you probably have a handful of other questions and concerns about your current cybersecurity strategy. In addition to our cybersecurity expertise, we can provide you with a cyber assessment that includes vulnerability scanning to determine potential CVEs opening you up to cyberattacks. Contact VC3 today through the form below to learn more about how we can help your organization become more secure.

More from VC3