Understanding the Difference Between Vulnerabilities and Exposures
- Jun 01, 2022
- Brad LaPorte
The cybersecurity world talks a lot about “common vulnerabilities and exposures” (CVEs) and compiles ongoing lists of them with a CVE numbering system. Effective risk management involves understanding and tracking this list and taking precautionary measures against cyber threats as a result.
With vulnerabilities and exposures often lumped together, it can be helpful to understand what exactly a vulnerability is and how it is different from an exposure. So let’s jump in.
Outside of computer systems, “vulnerability” implies a certain weakness that can lead to harm. A vulnerability in a body can lead to injury or disease. A local economy can have vulnerabilities, such as being overly dependent on one industry or potentially losing skilled workers.
For cybersecurity purposes, the definitions of a vulnerability can vary. According to Technopedia, it’s “a software coding error that is used by hackers to enter an information system and perform unauthorized activities while posing as an authorized user.”
Other definitions don’t assume that the vulnerability has been taken advantage of by cyber criminals. Rather, vulnerabilities are described as weaknesses within a piece of software, unlocked doors, unprotected information ports, and other openings that have the potential to be exploited by threat actors.
If a vulnerability implies only potential exploitation, “exposure” suggests indeed the weakness has been taken advantage of by someone taking unauthorized actions. That is, the hacker knew of the existence of the vulnerability and took advantage of it.
“During an exposure, attackers may gain information or hide unauthorized actions,” Technopedia says. Other definitions emphasize the action element of the term, saying that it reflects exposure to damage “for a single time period.”
The point here is that combining vulnerabilities with exposures results in data breaches or other security issues that can have serious consequences for the organization that has been attacked.
For years, these vulnerabilities were known or tracked only by vendors selling cybersecurity tools and no common knowledge base existed or was shared. But, in 1999, a non-profit organization, MITRE, started collecting information from different information sources, creating a catalog of CVEs. It now runs federally funded research and development centers and maintains a website that lists all the common vulnerabilities and exposures. The work is sponsored by the U.S. Department of Homeland Security (DHS), the Cybersecurity and Infrastructure Security Agency (CISA), and the US-CERT.
The CVE system identifies these weaknesses by a numerical system, with each CVE identifier referring to the year the vulnerability was discovered as the first four digits in the identification – e.g., CVE-2021-12345. MITRE has had to add more digital spaces to the available fields as the number of CVEs has grown each year.
The records of each CVE also describe the vulnerability or exposure, explaining how it was discovered, affected systems and software, known exploits and their impacts, vulnerable versions, and current security mitigations. This last piece of information is particularly valuable to security teams trying to safeguard sensitive data that might be attained by access to a system they maintain.
Some have wondered if compiling the CVE catalog amounts to telling threat actors where their targets lie and thus encourage cyber attacks. While there’s certainly a possibility that some of those wishing to exploit a system might not otherwise know about the vulnerability or exposure, skilled threat actors are already aware of these weaknesses through their own work or the network of information they share privately with each other.
Therefore, it’s best for the purposes of risk assessment and vulnerability management for security teams to have access to this information. As we have discussed in other blog posts, the issue for most security teams is not a lack of information but too much information. Security issues are not going to go away, however, so what is important is having both knowledge and a clear path as part of your managed vulnerability management plan for acting upon that knowledge.
Not every CVE will impact every organization. Successful security teams need to prioritize CVEs based on the actual criticality to their business. With an inundation of threats each month, creating that action plan can be daunting.
NopSec UVRM pulls asset criticality data from your CMDB to deliver unique context around each vulnerability in your environment. The end result is a precise and prioritized list of vulnerabilities that should be remediated first. Unlike other vulnerability risk management platforms, we don’t blackbox this — you can easily view the top five factors affecting your risk score.
Answer: A vulnerability is a weakness in a system – something that has the potential for being exploited. An exposure is a known incident in which the vulnerability was acted upon.
Answer: In cybersecurity, an exposure is an incident in which the vulnerability has been taken advantage of by an unauthorized activity. It may be a single incident or an ongoing series of unauthorized actions.
Answer: Vulnerabilities exist in network hardware and software; in operating systems; in processes; and in the people working for or otherwise connected to an organization. For example, an employee who is not aware of how threat actors can use phishing to gain access to a data base represents a vulnerability.