The first step in uncovering vulnerabilities is knowing what they are
GI Joe taught children of the 80s valuable life lessons and gave insights into military strategy; although I am pretty sure they didn’t pioneer the concept of knowing your enemy. In fact, one of the famous Chinese military general, strategist and philosopher Sun Tzu’s more popular proverbs says, “If you know yourself but not the enemy, for every victory gained you will also suffer a defeat.”
This is true for GI Joe, as well as the trenches of IT security … threats are the enemy, and every mitigated vulnerability on your network is a victory in reducing the attack surface. But, it doesn’t take a rocket surgeon to figure out you can’t fix a vulnerability if you don’t know it exists.
Thus, security researchers were born to discover and disclose vulnerabilities for the masses. The most popular source is the National Vulnerability Database (NVD), a repository of vulnerability data managed by the US government. While the NVD is a good source of data, it’s not an exhaustive list of vulnerabilities. A vulnerability needs to have a Common Vulnerabilities and Exposures (CVE) assigned to it to be added to the NVD. And to get a CVE, the discovered vulnerability must be reported to the CVE Numbering Authority or one of the data sources it follows.
Not every vulnerability gets a CVE, and those that don’t are not cataloged in the NVD. Which simply means that the NVD shouldn’t be your only source of vulnerability data. If your risk analysis solution relies only on the NVD for vulnerability data, you won’t have a complete picture.
The Skybox Research Lab consolidates intelligence from more than 20 sources (including the NVD) into the Skybox Vulnerability Database to provide the most comprehensive view of the current state of vulnerabilities. Specifically, using only the NVD would get you 84 percent of the vulnerabilities in the Skybox Vulnerability Database.
For example, only 36 percent of all JunOS vulnerabilities have CVEs. Or consider Microsoft EMET 4.1 Local DoS Vulnerability by Bypassing It (SBV-43432), another vulnerability with no assigned CVE. In some (very important) cases, using the NVD only is simply not good enough. The Skybox Vulnerability Database is incorporated into all Skybox solutions, so our customers have comprehensive visibility into all known vulnerabilities.
A similar comparison can be made between the Skybox Vulnerability Database and vulnerability scanners. A fact: none of the vulnerability scanners in the market can detect all your vulnerabilities, and the coverage varies between different vendors. Therefore, it’s important to understand the strength and weaknesses of your scanners since they may represent the primary method of detecting vulnerabilities. The Skybox Vulnerability Database includes mapping to the discoverable vulnerabilities of all popular scanners, creating a superset of vulnerability data.
To ensure that you are reducing your attack surface daily and reducing risk, you need to consider all known vulnerabilities. Without a complete understanding of all the potential vulnerabilities that may exist on your network you are setting yourself up for failure.
And now you know…