Cybersecurity awareness, protection, and prevention is all-encompassing. In addition to implementing the right tools and resources, and hiring skilled professionals with the right cybersecurity education and experience, organizations should be aware of the latest CVEs.
What Is a CVE?
The acronym “CVE” stands for Common Vulnerabilities and Exposures, and it refers to known computer security flaws that have been publicly identified and documented.
The National Institute of Standards and Technology (NIST) defines a CVE as: “A weakness in the computational logic (e.g., code) found in software and hardware components that, when exploited, results in a negative impact to confidentiality, integrity, or availability.”
A reference to a specific CVE means that the flaw has been assigned a specific identification number and logged into the official CVE system, which is run by the MITRE Corporation with funding assistance from the Cybersecurity & Infrastructure Security Agency (CISA).
As of mid-December 2021, a total number of 165,133 CVEs had been recorded since the system was first devised.
How Does the System Work?
CVE entries are concise, detailed accounts. They do not include technical data; that information appears in other databases, including the U.S. National Vulnerability Database (NVD), and the CERT/CC Vulnerability Notes Database.
Here is an example from 2021:
CVE reports can come from vendors, researchers, cybersecurity professionals — essentially from anyone who deals with these types of security issues.
The CVE Numbering Authority (CNA) is composed of software vendors, open source projects, coordination centers, hosted services and research groups; CNA members are authorized by the CVE Program to assign CVE numbers and publish CVE records.
Organizations and businesses that are CNAs include Adobe, Apple, Google, IBM, Microsoft and Intel. There are minimal requirements to become a partner, a relationship that includes no fees or contracts.
Here is a brief explanation of how the CVE system works:
- A vulnerability or exposure is identified;
- The vulnerability or exposure is assigned a CVE number by the CNA;
- The CNA creates a description…