Week-8 Vulnerability Management (VM)

What Are Vulnerabilities?

A vulnerability is a weakness that an attacker can exploit.

• Common causes include design flaws, coding errors, poor configuration, or missing security controls.
• Over 259000 unique vulnerabilities were listed in the NVD by Aug 2024 (NVD, 2024).
• Zero-day vulnerabilities are unknown to the vendor and exploited before a patch exists.
  Example: Stuxnet used several zero-day flaws to compromise Iran’s nuclear systems.

Main Categories of Vulnerabilities

• Hardware
  Flaws in physical components. Examples include Meltdown, Spectre, and Rowhammer-style attacks. More...

• Software
  Bugs from poor coding, weak validation, or inadequate testing. Examples include buffer overflows and injection flaws.

• Network
  Weak configurations such as open ports, outdated protocols, or weak firewalls.

• Human Factors
  Errors like weak passwords, phishing, or mishandling sensitive data.

Vulnerability Management: The Challenge

• Modern computer systems are complex
• Errors and vulnerabilities exist in both software and hardware
• Vendors work to patch vulnerabilities, but new ones emerge constantly
• Organisations need a structured approach to handle them

The Vulnerability Life Cycle

A process that manages a vulnerability from discovery to resolution.

Why VM?

• Converts raw vulnerability data into actionable priorities
• Ensures consistent scoring across platforms and vendors
• Supports risk-based patching and resource allocation
• Integrates with resilience planning to reduce impact before patchin

Vulnerability lifecycle: Once more

1. Discovery (Next Term with Cyber Operation and Testing)

• How vulnerabilities are found: pentesting, bug bounties, research, incident analysis.
• We assume discovery is complete - our focus is what happens next.

2. Classification: CWE (Common Weakness Enumeration)

• Community-developed list of common software and hardware weakness types
• Maintained by MITRE
• Focuses on categories of flaws rather than specific instances
• Provides a common language for describing weaknesses
• Enables root cause analysis to prevent recurrence
• Supports security tools in identifying and reporting issues consistently
• Serves as a bridge between weakness types and specific vulnerabilities (CVEs)

Activity : Take 5 mins

What is the difference betweeen Weakness vs Vulnerability?

Weakness vs Vulnerability

• Weakness - root cause condition (e.g., missing authentication, improper bounds check)
• Vulnerability - an instance of one or more weaknesses in a specific product
• CWE focuses on root cause

CWE Structure & Mapping Levels

Over 900 weaknesses, ranging from abstract to very specific. Four abstraction types: Pillar; Class; Base; Variant For root cause mapping, use Base or Variant when possible. Each CWE has a mapping label: Allowed - can map to vulnerabilities Allowed (with review) - use with caution Discouraged - avoid mapping Prohibited - must not be used for mapping

CWE Structure & Mapping Levels

Developer View (699) - ~400 common software weaknesses, 2 levels deep Research View (1000) - deep tree, 10 high-level pillars NVD View (1003) - ~130 most common weaknesses in NVD Hardware Design View (1194) - ~100 hardware-specific weaknesses Software Assurance Trends View (1400) - 22 high-level categories for large-scale analysis

What Does a CWE Include?

CWE Examples

How to Look It Up for an CWE

1. Go to https://cwe.mitre.org/
2. In the search box, type CWE-79
3. Open the result and review:
   • Summary
   • Examples
   • Mitigations

3. Identifiction - CVE: Common Vulnerabilities and Exposures

• CVE = Common Vulnerabilities and Exposures
• Provides a unique identifier for a specific vulnerability
• Maintained by MITRE and CVE Numbering Authorities (CNAs)
• Format: CVE-YYYY-NNNNN
  Example: CVE-2024-12345
• Used globally to ensure everyone refers to the same vulnerability

Purpose of CVE

• Consistency - One ID for a vulnerability across all reports
• Clarity - Avoids confusion between similar flaws
• Tracking - Links to security databases and advisories
• Integration - Connects with:
  • CWE for weakness type
  • CVSS for severity score
  • KEV for exploitation status

CWE vs CVE

CWE = theory and patterns, used to avoid mistakes
CVE = real world cases, used to fix mistakes

How to Look Up a CVE

1. Go to https://www.cve.org/
2. Enter the CVE ID in the search bar (e.g., CVE-2024-12345)
3. Review:
   • Description - What the flaw is
   • Affected Products - Versions impacted
   • References - Vendor advisories and patches

Example CVE

CVE-2021-44228 - Apache Log4j Remote Code Execution

• Summary: Log4j versions 2.0-2.14.1 allow attackers to execute arbitrary code via crafted log messages.
• Impact: Widespread exploitation, critical remote execution vulnerability.
• References: Apache advisory, NVD entry, security blogs.

4. Scoring/Measuring Severity - Using CVSS:

Common Vulnerability Scoring System

• Open standard for measuring vulnerability severity
• Developed by FIRST (Forum of Incident Response and Security Teams)
• Produces a score from 0.0 to 10.0, Increment of
• Helps prioritise remediation efforts

Purpose of CVSS

• Consistent scoring of vulnerabilities across platforms
• Allows comparison of different vulnerabilities
• Supports risk-based prioritisation
• Widely used in vulnerability management tools and databases

CVSS Scoring Components

1. Base Metrics - Intrinsic characteristics of the vulnerability (constant over time)
2. Threat Metrics - Current likelihood of exploitation
3. Environmental Metrics - Context-specific impact to your organisation
4. Supplemental Metrics - Additional details (e.g., safety, automation)

CVSS v4.0 Metrics

1. Base Metrics ()

N = remote over internet ; A = same network ; L = needs local access ; P = physical contact ; N is highest risk

CVSS v4.0 Metrics

2. Threat Metrics

CVSS v4.0 Metrics

3. Environmental Metrics

CVSS v4.0 Metrics

4. Supplemental Metrics

Example:

CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Overall interpretation

• The vulnerability is easy to exploit, requires only low privileges, and no user interaction.
  Its impact on confidentiality, integrity, and availability is high, so it represents a high-severity risk.

• Although it does not affect safety, the technical damage is significant and remediation should be prioritised.

5. Prioritisation using KEV

The KEV catalogue is a public list managed by CISA that records vulnerabilities which are confirmed to be actively exploited by attackers.

Why

• A vulnerability in KEV is not theoretical. It is already being used in real attacks.
• This makes it a higher priority than vulnerabilities with a similar CVSS score but no known exploitation.
• CISA also provides remediation deadlines, which helps organisations decide what to fix first.

How KEV is used:

• Combine CVSS severity with KEV status.

  • Example: a Medium CVSS vulnerability that appears in KEV may become a higher priority than a High CVSS issue that is not exploited.

• Helps organisations focus on the vulnerabilities that pose the most immediate real-world risk.

Example:

• CVE-2021-44228 (Log4Shell) - Added to KEV in Dec 2021
• CVSS: 10.0 (Critical)
• Actively exploited by multiple threat actors worldwide

6. Resilience & Redundancy

Beyond detection and prioritisation

Where They Fit

• CWE: Describes the type or category of the weakness
• CVE - Identifies the specific vulnerability
• CVSS - Scores the severity
• KEV - Confirms active exploitation
• Resilience & Redundancy - Keep systems running even before a fix is applied

Redundancy

• Backup components or systems ready to take over
• Examples:
  • Standby servers and failover clusters
  • Data replication across sites
  • Load balancing

Resilience (More in Inciednet Response Week)

• System’s ability to absorb and recover from attacks
• Examples:
  • Segmented networks
  • Defence in depth
  • Automated incident response

Why It's important:

If KEV flags a vulnerability as actively exploited and a patch can’t be applied immediately, resilience and redundancy buy time and limit damage until remediation is complete.

Lab and Acticities

• Review you lab from here