What is a Common Vulnerabilities and Exposures (CVE)?
August 20, 2020
You may have heard Information Technology professionals use the acronym CVE with increasing frequency recently. And, if you don't come from an Information Technology background yourself, it might be time to learn a bit about what that term means. Why? Because this year is on-trend to be the largest year for CVEs yet, and a bit of understanding of what that means to you, could dramatically raise your cybersecurity awareness.
Looking up the CVE Dictionary in an Encyclopedia
CVE stands for Common Vulnerabilities and Exposures. And, Wikipedia describes it as "a dictionary of common names (i.e., CVE Identifiers) for publicly known information security vulnerabilities" -- but that definition is not quite as accessible as we'd like. Paraphrasing, we'd describe it as a place where publicly-known software vulnerabilities are described. But sure, each CVE gets an identifier -- like CVE-2020-0796 for the recent Windows 10 worm -- so you can call it a dictionary if you like. Only it's a extremely esoteric dictionary, because all of the "words" you can lookup, are formatted a lot like that CVE-2020-0796 one.
So why do we need CVEs? That part is easy. Pre-1999, imagine that you were in a large organization whose patchwork corporate IT setup involved pieces from wildly separate lineage: Netware, Windows NT, a software setup Windows NT, Macintosh, etc. And you wanted to keep up with new vulnerabilities on each component of your IT infrastructure, to stay on top of mitigating the risk of attack. Good luck!
You'd have to be exceptionally tuned-in to each vendor's process for notifying customers of newly found vulnerabilities. You'd have to be extremely adept of making sense of 3rd party sources (including black hat sources). You'd have to have an extraordinary willingness to synthesize all of this information and make certain conclusions for yourself (without much help) about the nature of the risk associated with vulnerabilities you learned about.
So, why CVEs? To unify the archive of publicly-known vulnerabilities in one consolidated place. For the convenience of all stakeholders.
The Benefit of a Dictionary
Imagine if everytime you wanted to use some relatively obscure word, you had to redefine it in context rather than say/write the word. It would be burdensome. That's how it feels sometimes to describe a publicly-known vulnerability without referencing the CVE. In this blog, we've occasionally written about the Windows 10 worm in the Microsoft Server Message Block 3.1.1 component, discovered in Q1 2020, leading to a remote code execution vulnerability. That's a pretty dense description. With CVEs, we can shortcut that -- by talking about CVE-2020-0796 and knowing that any experienced Information Technology professional will know how to go from that identifier to the excruciatingly detailed technical information about the vulnerability.
In an industry as fast-moving as Information Technology, the consolidation of vulnerability information via CVE has been tremendously helpful. All stakeholders -- vendors, customers, partners, and end-users -- can now use a common "dictionary" when discussing vulnerabilities. That brings order to a topic area that was previously chaotic.