Vulnerabilities are weaknesses which can be exploited by a cyber attacker in order to gain access to systems and information and perform malicious acts. These are pre-existing weaknesses on a computer or device which hackers are able to take advantage of, rather than something which is put onto a system.
Staying aware of vulnerabilities is a crucial role of the cyber security industry. Understanding vulnerabilities allows those in cyber security to mitigate against these threats, or respond to attacks appropriately.
In order to stay informed, the CVE list is used. CVE stands for Common Vulnerability and Exposure, run by the National Cybersecurity Federally Funded Research and Development Centre (FFRDC). The CVE list provides a public database of known vulnerabilities and exposures. This enables the cyber security community to stay aware of new threats, with entries added almost daily. Communication amongst the community is important in finding and fixing vulnerabilities, and so the CVE list is very valuable.
With so many known CVEs, and the list ever-growing, a scoring system is implemented to assign severity to each vulnerability. This system is called the Common Vulnerability Scoring System (CVSS), and each vulnerability will be marked from 0-10 as a measure of threat, with 10 meaning the highest of risk. From this, the cyber security industry is able to understand the level of threat which a vulnerability may hold, and is able to prioritise a strategy to solve the issues. Scores are assigned based around three aspects of the given vulnerability. The first aspect is labelled the Base qualities. Base qualities are intrinsic to the vulnerability and are constant across time and environments. Then, the Temporal aspects of the vulnerability are considered, which refers to qualities which change over time. Finally, the Environmental aspects are assessed, looking at how the vulnerability changes across context and system. Combining understandings of these three facets of any given vulnerability allows for an assessment of threat levels.
With such a vast number of vulnerabilities, exhaustive lists can be somewhat overwhelming. To alleviate this, the OWASP top ten list comes in. The Open Web Application Security Project (OWASP) is an international not-for-profit charitable organisation. This group looks to support people and companies to make informed decisions to protect themselves adequately with cyber security. The OWASP regularly updates a list of the top ten highest web application risks. The collation of knowledge gathered from industry experts has meant that members of the cyber security community are aware of where the highest risks lie, and therefore where to focus their urgent attention.
Spotting vulnerabilities is important, though being able to then share information of these vulnerabilities amongst others in the industry is vital in the combat of cyber attacks. Where lists of vulnerabilities are long and perhaps off-putting, being able to categorize threats by risk-levels allows those in cyber security to exert their efforts in the most useful of ways. Coming together to face these threats means that problems not only get solved, but may be able to be prevented and mitigated against for the future. The CVE list, CVSS and OWASP top ten highlight some of the greatest strengths of the cyber security community: collaboration, knowledge-sharing and a desire to help others.