When is a critical vulnerability actually dangerous?>
Techzine – Erik van Klinken
New vulnerabilities emerge daily with varying CVE scores, which can be misleading as they do not always reflect the true risk to an organization.
For instance, the Heartbleed bug in OpenSSL caused significant damage despite having a medium to high CVE score.
On the other hand, Log4Shell received a high score but many organizations have since taken action to mitigate the risk.
The Common Vulnerability Scoring System (CVSS) was created by NIST to standardize vulnerability severity scores, but it has limitations and does not measure the actual risk.
CVSS 4\)0 was introduced to better reflect the reality of cyber dangers and focus on OT and IoT threats.
However, the assumption that higher CVE scores equate to greater danger persists.
Security teams prioritize high CVE score vulnerabilities due to factors such as attacker freedom of movement and impact on system availability.
However, CVE scores lack context and do not account for the specific impact on an organization.
FIRST, the organization responsible for maintaining CVSS, aims to make CVSS 4\)0 a “game-changer” by reducing ambiguity and weighing recovery attempts more heavily.
Threat intelligence and detection of active threats are also important in determining the true risk to an organization.
Containment rather than prevention of cyber dangers is the current reality, with experts recommending defense-in-depth techniques and zero-trust principles to prevent lasting damage.
To determine if a critical vulnerability is actually serious, an organization should consider its own context and look at the exploitability of vulnerabilities instead of relying solely on CVE scores.
Security solutions such as SentinelOne Singularity and CNAPP can help filter out noise and provide concrete insights about cyber threats.
Link: https://www.techzine.eu/blogs/security/115406/when-is-a-critical-vulnerability-actually-dangerous