Need to prioritize security bug patches? Don't forget to scan Twitter as well as use CVSS scores

Exploit, vulnerability discussion online can offer useful signals


Organizations looking to minimize exposure to exploitable software should scan Twitter for mentions of security bugs as well as use the Common Vulnerability Scoring System or CVSS, Kenna Security argues.

Better still is prioritizing the repair of vulnerabilities for which exploit code is available, if that information is known.

CVSS is a framework for rating the severity of software vulnerabilities (identified using CVE, or Common Vulnerability Enumeration, numbers), on a scale from 1 (least severe) to 10 (most severe). It's overseen by First.org, a US-based, non-profit computer security organization.

As an example, the initial Log4j vulnerability (CVE-2021-44228) received a base CVSS score of 10.0. The Log4j CVSS score was also accompanied by additional data:

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

This jumble of letters summarizes the framework version (3.0), the attack vector (network), the attack complexity (low), the privileges required (none), the user interaction required (none), whether the scope of potentially affected resources remains unchanged or not (changed), and impact metrics representing confidentiality, integrity and availability.

CVSS scores can help organizations focus on fixing dangerous flaws first. Ideally, prioritization would not be necessary but there are often so many bugs to repair that large organizations find it's not feasible to just fix everything at once. There were more than 20,000 CVEs released last year, compared to just over 1,000 two decades ago.

While CVSS scores can inform vulnerability remediation strategies, Kenna Security, acquired last year by Cisco, argues that there are better prioritization signals like focusing on flaws with exploit code and counting the number of times a vulnerability is mentioned on Twitter.

Kenna argues for using the Exploit Prediction Scoring System (EPSS), which is also maintained by First.org.

EPSS combines CVE data with exploit data in an effort to predict whether and when vulnerabilities will be exploited.

"Prioritizing vulnerabilities with exploit code is 11 times more effective than Common Vulnerability Scoring System (CVSS) scores in minimizing exploitability," said CTO and co-founder Ed Bellis in a blog post on Wednesday. "Mentions on Twitter, surprisingly, also have a much better signal-to-noise ratio than CVSS (about 2 times better)."

The graph below uses EPSS with remediation velocity to evaluate vulnerability repair strategies:

Kenna Security Exploit Prediction Scoring System graph

Image source: Kenna Security

Kenna Security has been working with the Cyentia Institute, a data science firm, to analyze vulnerability remediation data sets. Kenna has been publishing the findings in a series of reports, the latest of which is titled Prioritization to Prediction Volume 8, Measuring and Minimizing Exploitability.

In an email, Jay Jacobs, partner and co-founder at the Cyentia Institute, told The Register that Twitter is a better yardstick than CVSS even when a vulnerability's CVSS score is a 10 – which makes it obvious the flaw should be dealt with.

"That metric is looking at the performance of CVSS as a whole and using it as a prioritization strategy, so it is assuming companies are remediating according to the base score," said Jacobs. "That means they start with all of the CVSS 10s in their environment and remediate those, then move on to the next highest CVSS score and so on. They continue this until they reach their capacity for remediation as discussed in the report.​​"

The gist of the report is that prioritizing patches using an effective strategy can reduce an organization's attack surface better than expanding internal capacity to apply patches.

Chris Gibson, executive director of the Forum of Incident Response and Security Teams (FIRST), told The Register in an email that CVSS and EPSS measure different things – severity and risk, respectively.

"One of the biggest challenges with CVSS has been end-user consumer education," he said. "Many well-meaning consumers of CVSS simply stack rank vulnerabilities found in their products (CVE IDs) by CVSS Base Score and form an action/mitigation plan based on that number alone. While by far the easiest method, it's also the least apt and accurate. Additional inputs, such as Threat and Environment, must be taken into account to come up with an accurate assessment."

Pointing to an article on the First.org website that addresses this, he emphasized that CVSS Base Score alone is not intended to communicate the risk of malicious exploitation.

"Taken as a starting point, mitigated by real-time threat analysis such as EPSS and others, and amplified by the Security Requirements — some would call the risk tolerance — a scoring consumer can much better gauge and assess the appropriate measured response, priority, and urgency of a particular vulnerability," he said.

The Kenna/Cyentia report also contains some noteworthy data about the exploitability of different tech vendors, based on EPSS.

It says that while Microsoft is responsible for the largest number and for the most exploitable vulnerabilities, the Windows maker manages to fix its bugs faster than almost any other vendor. When exploitability is graphed against the time that vulnerabilities linger unaddressed, HP and IBM stand out as laggards.

Kenna Security report graph of exploitability/persistence

Image source: Kenna Security

Google, meanwhile, gets a nod for low exploitability and rapid repair time. "...Google is in a class of its own in terms of low exploitability and high remediation velocity," the report says. ®

Broader topics


Other stories you might like

  • Millions of people's info stolen from MGM Resorts dumped on Telegram for free
    Meanwhile, Twitter coughs up $150m after using account security contact details for advertising

    Miscreants have dumped on Telegram more than 142 million customer records stolen from MGM Resorts, exposing names, postal and email addresses, phone numbers, and dates of birth for any would-be identity thief.

    The vpnMentor research team stumbled upon the files, which totaled 8.7 GB of data, on the messaging platform earlier this week, and noted that they "assume at least 30 million people had some of their data leaked." MGM Resorts, a hotel and casino chain, did not respond to The Register's request for comment.

    The researchers reckon this information is linked to the theft of millions of guest records, which included the details of Twitter's Jack Dorsey and pop star Justin Bieber, from MGM Resorts in 2019 that was subsequently distributed via underground forums.

    Continue reading
  • DuckDuckGo tries to explain why its browsers won't block some Microsoft web trackers
    Meanwhile, Tails 5.0 users told to stop what they're doing over Firefox flaw

    DuckDuckGo promises privacy to users of its Android, iOS browsers, and macOS browsers – yet it allows certain data to flow from third-party websites to Microsoft-owned services.

    Security researcher Zach Edwards recently conducted an audit of DuckDuckGo's mobile browsers and found that, contrary to expectations, they do not block Meta's Workplace domain, for example, from sending information to Microsoft's Bing and LinkedIn domains.

    Specifically, DuckDuckGo's software didn't stop Microsoft's trackers on the Workplace page from blabbing information about the user to Bing and LinkedIn for tailored advertising purposes. Other trackers, such as Google's, are blocked.

    Continue reading
  • Despite 'key' partnership with AWS, Meta taps up Microsoft Azure for AI work
    Someone got Zuck'd

    Meta’s AI business unit set up shop in Microsoft Azure this week and announced a strategic partnership it says will advance PyTorch development on the public cloud.

    The deal [PDF] will see Mark Zuckerberg’s umbrella company deploy machine-learning workloads on thousands of Nvidia GPUs running in Azure. While a win for Microsoft, the partnership calls in to question just how strong Meta’s commitment to Amazon Web Services (AWS) really is.

    Back in those long-gone days of December, Meta named AWS as its “key long-term strategic cloud provider." As part of that, Meta promised that if it bought any companies that used AWS, it would continue to support their use of Amazon's cloud, rather than force them off into its own private datacenters. The pact also included a vow to expand Meta’s consumption of Amazon’s cloud-based compute, storage, database, and security services.

    Continue reading

Biting the hand that feeds IT © 1998–2022