Why CVE Based Vulnerability Remediation is not effective ?
The traditional common vulnerabilities and exposures (CVEs) is a problem. But the reason varies person to person and organization to organization.
The mitigation strategies of IT and security teams have become too focused on “vulnerability management” and are too CVE-centric, when what we really need is a hacker-centric approach to effectively reduce our exposure.
Vulnerability management as a primary strategy doesn’t really work. As per NIST, 20,158 new vulnerabilities were discovered in 2021 alone and in 2022 till date 21000+ vulnerabilities discovered. Sixth consecutive year the numbers are enormous. Security teams cannot reasonably patch 20,000+ new vulnerabilities every year.
The recent research reveals that only about 15% of vulnerabilities are actually exploitable, and so patching every vulnerability is not an effective use of time for security teams that have no shortage of tasks. The second and equally important reason is that even if you did continuously patch 100% of the CVEs in your network, this likely still wouldn’t be effective at stopping hackers.
Phishing, spear-phishing, social engineering attacks, leaked credentials, default credentials, unauthenticated access using standard interfaces (FTP, SMB, HTTP, etc.), accessible hotspots with no passwords, network poisoning, password cracking — the list of strategies that hackers are employing is vast and varied, and many don’t even require a high-level CVE, or any CVE at all, to be dangerous to an organization.
Leaked credentials likely pose a far greater threat to the average organization than the next dozen CVEs to be announced combined, yet many organizations have no protocol in place to discover if any of their credentials are floating around in the darker parts of the Web.
In recent breach/hack by 18 year old, there was no complicated coding or vulnerability exploitation that went on here. Instead, it was a variation on an old-school tactic that is tried and true.
Yes, patching is very important and it’s critical part of a strong security posture, and a crucial component of every security strategy. The issue is that many tools today prioritize remediation recommendations based solely on CVSS scores, and what gets lost is the organizational context; the understanding of how to separate the meaningful 15% of vulnerabilities from the other 85%.
Vulnerability management is definitely a core part of any security strategy, we need to move away from it as a primary methodology. If we want our security to actually be effective toward reducing our exposure, our strategies must focus on understanding the real-world techniques and methodologies that hackers are using to exploit us.