Learn the Difference Between CVE and CVSS, and What They Mean to You
Share with Your Network
CVE (Common Vulnerabilities or Exposures) refers to a list of publicly disclosed cybersecurity weaknesses, organized by identification numbers with descriptions and published dates. Many organizations prioritize CVEs using CVSS (Common Vulnerability Scoring System), a basic scoring framework that rates each CVE based on perceived severity. Understanding the difference between these terms is helpful to comprehend how they relate to effective vulnerability management.
This blog explores the nature and limitations of CVEs and CVSS, along with the challenges they present for risk reduction.
What is a CVE?
Since 1999, MITRE has maintained a free and publicly available list of known vulnerabilities and cybersecurity issues known as the CVE (Common Vulnerabilities and Exploits) Program. While there has always been controversy about the benefits (or pitfalls) of publishing known vulnerabilities and exploits, having this information widely available and accessible helps organizations patch potentially disastrous vulnerabilities more efficiently than if left to their own efforts.
CVEs are often submitted by researchers, white hat hackers, and vendors. Each CVE is then chronicled and organized by identification numbers (CVE Identifiers), which in turn creates a searchable list. A CVE record contains a description of the vulnerability, one or more public references for additional information, and the date the CVE was published.
MITRE acts as the primary CNA (CVE Numbering Authority) aggregating a high-level list of CVEs linking to other key information such as risks, CVSS scoring, fixes, etc. Other CVE databases also help organizations develop patches for critical security vulnerabilities. Microsoft, for instance, is a prominent CNA. This only makes sense, based on the sheer volume of vulnerabilities discovered in Microsoft products.
What is CVSS?
Regardless of the size of their budget or even their Security and IT teams, enterprises in all industries typically only have the resources to patch one out of 10 CVEs detected within their infrastructures. This means they have no choice but to prioritize which vulnerabilities to patch.
As a way to rank CVEs, many look to CVSS (Common Vulnerability Scoring System). Measured on a scale of 1-10, CVSS scores are based on an open, standardized methodology that provides a quick and easy numeric indicator of the severity of a vulnerability. (Many organizations by default try to remediate all CVEs assigned a CVSS score of 7 or above.)
Since they’re published and maintained in the National Vulnerability Database (NVD) (another widely known and publicly available tool), CVSS scores often create the foundation for an organization’s vulnerability management strategy. In fact, many vulnerability scanners simply repackage CVSS scores as the basis for their vulnerability fix lists.
What are the limitations of CVE and CVSS?
CVEs and CVSS are useful, but their value is limited, particularly due to the dynamic nature of vulnerabilities and how they’re exploited—and the need for Security teams to weigh more information than is available in either CVE records or within the CVSS scoring system.
CVE records, for instance, generally lack key information such as exploit codes, fixes, popular targets, known malware, remote code execution details, etc. To find those, Security personnel have to do some additional sleuthing. (CVE records do often link to vendor sites and other resources, and these may in turn include links to patches and remediation advice. But it’s a manual, hunt-and-peck process that can be overwhelming to Security teams facing a list of hundreds, even thousands of so-called critical vulnerabilities.)
Another drawback to CVE is it represents vulnerabilities in unpatched software only. Organizations with a traditional approach to vulnerability management have long focused on unpatched software, trusting patched software to be accounted for and “safe.” This limited understanding ignores crucial attack vectors in a network or system.
CVSS scores have their own limitations. First, CVSS is a static scoring method. Most CVEs receive a CVSS score within a few weeks of discovery and before any exploits are written against them. They’re scored based on the initial assessment of their potential to be exploited, and then rarely—if ever—updated.
CVSS scores also lack context, failing to factor in the prevalence of the vulnerability in actual network environments, the volume of exploits targeting that vulnerability, or other contextual information required for a security analyst to truly understand the level of risk a CVE poses to their unique environment.
In fact, when it comes to preventing a breach by remediating the vulnerabilities most likely to be weaponized against a specific enterprise, a vulnerability score on its own is useless.
Why CVSS isn’t good enough to prevent a breach
Because of these shortcomings, CVSS scores are not equipped to provide insight into the relative criticality of each vulnerability within a specific enterprise environment. When remediation teams base their patch strategy on CVSS scores alone, they end up wasting limited time and strapped resources remediating potentially low-risk vulns. Not only can this increase tensions between Security teams tasking fix lists to IT teams and it doesn’t do much to reduce overall cybersecurity risk.
Research shows that 2% to 5% of your vulnerabilities will be exploited, but CVSS can assign as many as 40% of all CVEs a score of 7 or higher.
Leading analyst firms have emphasized the need for risk-based vulnerability management. Advanced risk-based vulnerability management (RBVM) is a data-driven approach to vulnerability prioritization based on threat and vulnerability intel pulled from the wild, data science, predictive analytics, and your organization’s acceptable level of risk. By focusing on the riskiest vulnerabilities, teams can better target their time and efforts.
The most advanced vulnerability management programs automate previously manual tasks and turn intel into insight for more effective vulnerability management prioritization. As a result, organizations cut costs, make more efficient use of their limited resources, and do a better job reducing risk.
Learn more about expanding your vulnerability remediation strategy beyond CVEs and CVSS. Visit www.cisco.com/go/vulnerability-management.
This blog was originally written for Kenna Security, which has been acquired by Cisco Systems. Learn more about Cisco Vulnerability Management.
