General 3min de Leitura - 18 de September de 2020

CVE: a collaborative effort to combat security breaches

This post is also available in: Português English Español

Since humanity started storing data on computers, there has been a concern to keep this set of information safe. The gigantic growth in access to computers, tablets and smartphones has only increased the number of threats to protect everything that is saved in these devices – or through them, as in the case of cloud computing. This expansion is confirmed and reaffirmed every day, through news reporting that even high-ranking members of the government are suffering invasions – even though they are surrounded by specialized cybersecurity bodies.

However, anyone working to prevent and combat attacks on information systems and data storage is aware. Proof of this is that they create and perfect ways to minimize risks and damages resulting from invasions, and even prevent them from happening. The professionals dedicated to this task work collaboratively, sharing information and knowledge on the subject with the whole world.

One of these initiatives is CVE, which stands for Common Vulnerabilities and Exposures. It is a mix of dictionary and catalog with lists of names for vulnerabilities and other information security exposures. CVE is free and public for use by anyone interested in researching vulnerabilities and security tools.

CVE is maintained and updated through collaborative work by the entire professional community, called the CVE Editorial Board. This institution has representatives from various security-related organizations, such as security tool developers, academic bodies and governments.

But what are these vulnerabilities?

According to the ISO 27000 information security certification (read the post we created about this ISO by clicking here), vulnerabilities are the weaknesses of an asset that could potentially be exploited by one or more threats, resulting from human failures, outdated technologies or even even for malicious actions.

In this sense, those who work with information security have already seen denominations of vulnerabilities or links that lead to sites that detail the fault found. These are links with the title CVE followed by a dash, four digits that identify a year, plus a dash and four other numbers. An example would be CVE-2019-0001, with 2019 being the year in which the failure was reported – one of the ways to report the problem is through the website

Each CVE item has a status, which can be either “entry” or “candidate”. While the “entry” classification means that the name has been included in the CVE list, the “candidate” points out that the nomenclature is under review for inclusion in the list – with the possibility of entering or not. In addition to the name with numbers and status, you should have a brief description of the vulnerability and references or supervision reports.

There are also the “Reserved”, “Disputed” and “Rejected” statuses. The first one means that the threat has been reserved for use, but details of the vulnerability are still missing. The second deals with items where there is disagreement by a party involved about the problem, the ideal being, in this case, that there be more research for other references – or that a contact be made with the affected supplier or developer. Entries with the “rejected” code should be ignored, as they were not accepted at CVE.

What does CVE do for my company’s security?

CVE makes a difference when it comes to selecting the best security feature choices for your business’s information technology structure – regardless of size or industry.

However, it should be noted that CVE is a guide that helps to identify flaws, without being able to accurately determine which vulnerability was exploited in an eventual invasion. After all, its function is to give information about failures after they have been found, something that facilitates the correction and search for technical details.

CVE is therefore one of the best and most reliable sources of research on failures and exposures. It allows you to use the name of the specific vulnerability in a search, allowing companies to obtain information quickly and accurately from a variety of CVE-compliant data sources.

So, how to be protected from vulnerabilities?

It is a relatively complex process to keep threats at bay, and risks must be controlled to protect and secure the company’s systems. It is essential to carry out preventive actions and manage vulnerabilities, which is the process of identifying, classifying, analyzing and addressing failures.

Acting frequently and professionally, you can find out which CVEs reach your company, compare the developments each week, as well as different problems and solutions. In this contexto, OSTEC has a wide range of products and services focused on digital security that guarantee total protection for your results. Talk to one of our experts and learn more.

This post is also available in: Português English Español