The Heartbleed OpenSSL bug proved that naive acceptance of secure software can lead to, at minimum, system downtime, and at the extreme can result in the theft of company data. Heartbleed was the first vulnerability with its own website, and knowing Heartbleed’s CVE identifier, CVE-2014-0160, was valuable for information security professionals as a way to further their research into Heartbleed’s impact and mitigation.
As InfoSec professionals we are required to prioritize software vulnerabilities, so administrators can spend valuable time mitigating a bug that allows for exfiltration of sensitive data, versus a bug that at worst might only cause system downtime. The best tool for help in prioritizing vulnerabilities is the CVE (Common Vulnerabilities and Exposures) database maintained by MITRE. Bugs are assigned a unique ID as they are entered into the CVE database, and they are assigned a CVSS score; this score is a measurement of the impact of the vulnerability compared to other vulnerabilities.
The various metrics used in applying CVSS scores include measuring how difficult the vulnerability can be exploited, how much the CIA triad of data is impacted and whether authentication is required to exploit the vulnerability.
Using Heartbleeds’CVSS as an example, the Confidentiality Impact was rated ‘Partial,’ because it allowed for the exfiltration of data; but the Integrity and Availability metrics scored ‘None’ because it didn’t cause the deletion or reliability of data. Heartbleed also scored a low on the complexity scale, because very little skill was required to pull off a successful exploit. These weights and measures are compiled together to give the vulnerability an overall CVSS score. A high risk score lies in between 7-10, a medium resides between 4 – 6.9, and a low between 0 – 3.9. The full ranking and metrics system is available online.
I’ve seen many Systems Administrators waste valuable time mitigating a bug that held a low score while allowing a vulnerability in the CVSS high range to sit unresolved. With the CVSS scoring system, CISOs have a free powerful tool to aid in weighting the risk of vulnerabilities and their impact, in turn helping InfoSec teams assign resources to the highest-risk vulnerabilities.
There are several sites that host the CVE database and allow you to search, download, or opt-in for email alerts and RSS feeds. One of them is CVEDetails; this site comes with a friendly GUI and has some neat tools to allow you to search based off product/vendor or CVSS score. The U.S. Government also provides an official CVE website including quick links to SCAP and FDCC tools.
US-CERT also lists CVE’s, as well as email alert summaries and portals for Industrial Control Systems Security and Home Users.
Separate from the CVE database, but a valuable page to bookmark and read, the ISC Storm Center monitors and reports on malicious internet activity and emerging attack trends.
Take advantage and leverage the security bulletins posted by vendors. Most vendors post their software vulnerabilities on their website, and some offer email or RSS feed updates of these vulnerabilities. I’ve included the bulletin pages for some top vendors at the end of this article. If you’re not sure where to locate the security bulletin page for a particular vendor, drop me a line and we’ll hunt it down together.
Happy and Safe Computing!
Microsoft Security Bulletins: https://technet.microsoft.com/security/bulletin/
Apple Security Bulletins: http://support.apple.com/kb/HT1222
Adobe Security Bulletins:
Oracle Security Bulletins: http://www.oracle.com/technetwork/topics/security/alerts-086861.html
Linux Distribution Security Bulletins: http://www.linuxsecurity.com/content/section/3/170
By Brian Thomas | @InfoSec_Brian
Bio: Passionate professional with 17 years’ experience providing Tier-4 data solutions in all disciplines of IT including Network/Server administration and Information Security. Proven experience in HIPAA, ISO 27001 and PCI compliance.
http://www.linkedin.com/in/bmthomas
https://twitter.com/InfoSec_Brian
About the Author
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.
