As a security researcher, common vulnerabilities and exposures (CVEs) are an issue for me — but not for the reason you might think.
While IT and security teams dislike CVEs because of the threat they pose and the mountain of remediation work they create for them, what troubles me is the way our modern security procedures relate to CVEs. Our mitigation strategies have become too focused on “vulnerability management” and are too CVE-centric, when what we really need is a hacker-centric approach to effectively reduce our exposure.
Vulnerability management as a primary strategy doesn’t really work. According to the National Institute for Standards and Technology, 20,158 new vulnerabilities were discovered in 2021 alone. This represented the fifth consecutive year of record numbers for vulnerability discovery, and it looks like 2022 may very well continue the trend. Security teams cannot reasonably patch 20,000 new vulnerabilities a year, and even if they could, they shouldn’t.
This might sound counterintuitive, but there are a few reasons why it’s not. The first is that recent research reveals that only about 15% of vulnerabilities are actually exploitable, and so patching every vulnerability is not an effective use of time for security teams that have no shortage of tasks. The second and equally important reason is that even if you did continuously patch 100% of the CVEs in your network, this likely still wouldn’t be effective at stopping hackers.
Hacker Strategies Are Vast and Varied
Phishing, spear-phishing, varying levels of social engineering, leaked credentials,