Need to prioritize security bug patches? Don't forget to scan Twitter as well as use CVSS scores

Exploit, vulnerability discussion online can offer useful signals


Organizations looking to minimize exposure to exploitable software should scan Twitter for mentions of security bugs as well as use the Common Vulnerability Scoring System or CVSS, Kenna Security argues.

Better still is prioritizing the repair of vulnerabilities for which exploit code is available, if that information is known.

CVSS is a framework for rating the severity of software vulnerabilities (identified using CVE, or Common Vulnerability Enumeration, numbers), on a scale from 1 (least severe) to 10 (most severe). It's overseen by First.org, a US-based, non-profit computer security organization.

As an example, the initial Log4j vulnerability (CVE-2021-44228) received a base CVSS score of 10.0. The Log4j CVSS score was also accompanied by additional data:

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

This jumble of letters summarizes the framework version (3.0), the attack vector (network), the attack complexity (low), the privileges required (none), the user interaction required (none), whether the scope of potentially affected resources remains unchanged or not (changed), and impact metrics representing confidentiality, integrity and availability.

CVSS scores can help organizations focus on fixing dangerous flaws first. Ideally, prioritization would not be necessary but there are often so many bugs to repair that large organizations find it's not feasible to just fix everything at once. There were more than 20,000 CVEs released last year, compared to just over 1,000 two decades ago.

While CVSS scores can inform vulnerability remediation strategies, Kenna Security, acquired last year by Cisco, argues that there are better prioritization signals like focusing on flaws with exploit code and counting the number of times a vulnerability is mentioned on Twitter.

Kenna argues for using the Exploit Prediction Scoring System (EPSS), which is also maintained by First.org.

EPSS combines CVE data with exploit data in an effort to predict whether and when vulnerabilities will be exploited.

"Prioritizing vulnerabilities with exploit code is 11 times more effective than Common Vulnerability Scoring System (CVSS) scores in minimizing exploitability," said CTO and co-founder Ed Bellis in a blog post on Wednesday. "Mentions on Twitter, surprisingly, also have a much better signal-to-noise ratio than CVSS (about 2 times better)."

The graph below uses EPSS with remediation velocity to evaluate vulnerability repair strategies:

Kenna Security Exploit Prediction Scoring System graph

Image source: Kenna Security

Kenna Security has been working with the Cyentia Institute, a data science firm, to analyze vulnerability remediation data sets. Kenna has been publishing the findings in a series of reports, the latest of which is titled Prioritization to Prediction Volume 8, Measuring and Minimizing Exploitability.

In an email, Jay Jacobs, partner and co-founder at the Cyentia Institute, told The Register that Twitter is a better yardstick than CVSS even when a vulnerability's CVSS score is a 10 – which makes it obvious the flaw should be dealt with.

"That metric is looking at the performance of CVSS as a whole and using it as a prioritization strategy, so it is assuming companies are remediating according to the base score," said Jacobs. "That means they start with all of the CVSS 10s in their environment and remediate those, then move on to the next highest CVSS score and so on. They continue this until they reach their capacity for remediation as discussed in the report.​​"

The gist of the report is that prioritizing patches using an effective strategy can reduce an organization's attack surface better than expanding internal capacity to apply patches.

Chris Gibson, executive director of the Forum of Incident Response and Security Teams (FIRST), told The Register in an email that CVSS and EPSS measure different things – severity and risk, respectively.

"One of the biggest challenges with CVSS has been end-user consumer education," he said. "Many well-meaning consumers of CVSS simply stack rank vulnerabilities found in their products (CVE IDs) by CVSS Base Score and form an action/mitigation plan based on that number alone. While by far the easiest method, it's also the least apt and accurate. Additional inputs, such as Threat and Environment, must be taken into account to come up with an accurate assessment."

Pointing to an article on the First.org website that addresses this, he emphasized that CVSS Base Score alone is not intended to communicate the risk of malicious exploitation.

"Taken as a starting point, mitigated by real-time threat analysis such as EPSS and others, and amplified by the Security Requirements — some would call the risk tolerance — a scoring consumer can much better gauge and assess the appropriate measured response, priority, and urgency of a particular vulnerability," he said.

The Kenna/Cyentia report also contains some noteworthy data about the exploitability of different tech vendors, based on EPSS.

It says that while Microsoft is responsible for the largest number and for the most exploitable vulnerabilities, the Windows maker manages to fix its bugs faster than almost any other vendor. When exploitability is graphed against the time that vulnerabilities linger unaddressed, HP and IBM stand out as laggards.

Kenna Security report graph of exploitability/persistence

Image source: Kenna Security

Google, meanwhile, gets a nod for low exploitability and rapid repair time. "...Google is in a class of its own in terms of low exploitability and high remediation velocity," the report says. ®

Broader topics


Other stories you might like

  • Verizon: Ransomware sees biggest jump in five years
    We're only here for DBIRs

    The cybersecurity landscape continues to expand and evolve rapidly, fueled in large part by the cat-and-mouse game between miscreants trying to get into corporate IT environments and those hired by enterprises and security vendors to keep them out.

    Despite all that, Verizon's annual security breach report is again showing that there are constants in the field, including that ransomware continues to be a fast-growing threat and that the "human element" still plays a central role in most security breaches, whether it's through social engineering, bad decisions, or similar.

    According to the US carrier's 2022 Data Breach Investigations Report (DBIR) released this week [PDF], ransomware accounted for 25 percent of the observed security incidents that occurred between November 1, 2020, and October 31, 2021, and was present in 70 percent of all malware infections. Ransomware outbreaks increased 13 percent year-over-year, a larger increase than the previous five years combined.

    Continue reading
  • Slack-for-engineers Mattermost on open source and data sovereignty
    Control and access are becoming a hot button for orgs

    Interview "It's our data, it's our intellectual property. Being able to migrate it out those systems is near impossible... It was a real frustration for us."

    These were the words of communication and collaboration platform Mattermost's founder and CTO, Corey Hulen, speaking to The Register about open source, sovereignty and audio bridges.

    "Some of the history of Mattermost is exactly that problem," says Hulen of the issue of closed source software. "We were using proprietary tools – we were not a collaboration platform before, we were a games company before – [and] we were extremely frustrated because we couldn't get our intellectual property out of those systems..."

    Continue reading
  • UK government having hard time complying with its own IR35 tax rules
    This shouldn't come as much of a surprise if you've been reading the headlines at all

    Government departments are guilty of high levels of non-compliance with the UK's off-payroll tax regime, according to a report by MPs.

    Difficulties meeting the IR35 rules, which apply to many IT contractors, in central government reflect poor implementation by Her Majesty's Revenue & Customs (HMRC) and other government bodies, the Public Accounts Committee (PAC) said.

    "Central government is spending hundreds of millions of pounds to cover tax owed for individuals wrongly assessed as self-employed. Government departments and agencies owed, or expected to owe, HMRC £263 million in 2020–21 due to incorrect administration of the rules," the report said.

    Continue reading
  • Internet went offline in Pakistan as protestors marched for ousted prime minister
    Two hour outage 'consistent with an intentional disruption to service' said NetBlocks

    Internet interruption-watcher NetBlocks has reported internet outages across Pakistan on Wednesday, perhaps timed to coincide with large public protests over the ousting of Prime Minister Imran Khan.

    The watchdog organisation asserted that outages started after 5:00PM and lasted for about two hours. NetBlocks referred to them as “consistent with an intentional disruption to service.”

    Continue reading
  • Suspected phishing email crime boss cuffed in Nigeria
    Interpol, cops swoop with intel from cybersecurity bods

    Interpol and cops in Africa have arrested a Nigerian man suspected of running a multi-continent cybercrime ring that specialized in phishing emails targeting businesses.

    His alleged operation was responsible for so-called business email compromise (BEC), a mix of fraud and social engineering in which staff at targeted companies are hoodwinked into, for example, wiring funds to scammers or sending out sensitive information. This can be done by sending messages that impersonate executives or suppliers, with instructions on where to send payments or data, sometimes by breaking into an employee's work email account to do so.

    The 37-year-old's detention is part of a year-long, counter-BEC initiative code-named Operation Delilah that involved international law enforcement, and started with intelligence from cybersecurity companies Group-IB, Palo Alto Networks Unit 42, and Trend Micro.

    Continue reading

Biting the hand that feeds IT © 1998–2022