Need to prioritize security bug patches? Don't forget to scan Twitter as well as use CVSS scores

Exploit, vulnerability discussion online can offer useful signals


Organizations looking to minimize exposure to exploitable software should scan Twitter for mentions of security bugs as well as use the Common Vulnerability Scoring System or CVSS, Kenna Security argues.

Better still is prioritizing the repair of vulnerabilities for which exploit code is available, if that information is known.

CVSS is a framework for rating the severity of software vulnerabilities (identified using CVE, or Common Vulnerability Enumeration, numbers), on a scale from 1 (least severe) to 10 (most severe). It's overseen by First.org, a US-based, non-profit computer security organization.

As an example, the initial Log4j vulnerability (CVE-2021-44228) received a base CVSS score of 10.0. The Log4j CVSS score was also accompanied by additional data:

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

This jumble of letters summarizes the framework version (3.0), the attack vector (network), the attack complexity (low), the privileges required (none), the user interaction required (none), whether the scope of potentially affected resources remains unchanged or not (changed), and impact metrics representing confidentiality, integrity and availability.

CVSS scores can help organizations focus on fixing dangerous flaws first. Ideally, prioritization would not be necessary but there are often so many bugs to repair that large organizations find it's not feasible to just fix everything at once. There were more than 20,000 CVEs released last year, compared to just over 1,000 two decades ago.

While CVSS scores can inform vulnerability remediation strategies, Kenna Security, acquired last year by Cisco, argues that there are better prioritization signals like focusing on flaws with exploit code and counting the number of times a vulnerability is mentioned on Twitter.

Kenna argues for using the Exploit Prediction Scoring System (EPSS), which is also maintained by First.org.

EPSS combines CVE data with exploit data in an effort to predict whether and when vulnerabilities will be exploited.

"Prioritizing vulnerabilities with exploit code is 11 times more effective than Common Vulnerability Scoring System (CVSS) scores in minimizing exploitability," said CTO and co-founder Ed Bellis in a blog post on Wednesday. "Mentions on Twitter, surprisingly, also have a much better signal-to-noise ratio than CVSS (about 2 times better)."

The graph below uses EPSS with remediation velocity to evaluate vulnerability repair strategies:

Kenna Security Exploit Prediction Scoring System graph

Image source: Kenna Security

Kenna Security has been working with the Cyentia Institute, a data science firm, to analyze vulnerability remediation data sets. Kenna has been publishing the findings in a series of reports, the latest of which is titled Prioritization to Prediction Volume 8, Measuring and Minimizing Exploitability.

In an email, Jay Jacobs, partner and co-founder at the Cyentia Institute, told The Register that Twitter is a better yardstick than CVSS even when a vulnerability's CVSS score is a 10 – which makes it obvious the flaw should be dealt with.

"That metric is looking at the performance of CVSS as a whole and using it as a prioritization strategy, so it is assuming companies are remediating according to the base score," said Jacobs. "That means they start with all of the CVSS 10s in their environment and remediate those, then move on to the next highest CVSS score and so on. They continue this until they reach their capacity for remediation as discussed in the report.​​"

The gist of the report is that prioritizing patches using an effective strategy can reduce an organization's attack surface better than expanding internal capacity to apply patches.

Chris Gibson, executive director of the Forum of Incident Response and Security Teams (FIRST), told The Register in an email that CVSS and EPSS measure different things – severity and risk, respectively.

"One of the biggest challenges with CVSS has been end-user consumer education," he said. "Many well-meaning consumers of CVSS simply stack rank vulnerabilities found in their products (CVE IDs) by CVSS Base Score and form an action/mitigation plan based on that number alone. While by far the easiest method, it's also the least apt and accurate. Additional inputs, such as Threat and Environment, must be taken into account to come up with an accurate assessment."

Pointing to an article on the First.org website that addresses this, he emphasized that CVSS Base Score alone is not intended to communicate the risk of malicious exploitation.

"Taken as a starting point, mitigated by real-time threat analysis such as EPSS and others, and amplified by the Security Requirements — some would call the risk tolerance — a scoring consumer can much better gauge and assess the appropriate measured response, priority, and urgency of a particular vulnerability," he said.

The Kenna/Cyentia report also contains some noteworthy data about the exploitability of different tech vendors, based on EPSS.

It says that while Microsoft is responsible for the largest number and for the most exploitable vulnerabilities, the Windows maker manages to fix its bugs faster than almost any other vendor. When exploitability is graphed against the time that vulnerabilities linger unaddressed, HP and IBM stand out as laggards.

Kenna Security report graph of exploitability/persistence

Image source: Kenna Security

Google, meanwhile, gets a nod for low exploitability and rapid repair time. "...Google is in a class of its own in terms of low exploitability and high remediation velocity," the report says. ®

Broader topics


Other stories you might like

  • New York City rips out last city-owned public payphones
    Y'know, those large cellphones fixed in place that you share with everyone and have to put coins in. Y'know, those metal disks representing...

    New York City this week ripped out its last municipally-owned payphones from Times Square to make room for Wi-Fi kiosks from city infrastructure project LinkNYC.

    "NYC's last free-standing payphones were removed today; they'll be replaced with a Link, boosting accessibility and connectivity across the city," LinkNYC said via Twitter.

    Manhattan Borough President Mark Levine said, "Truly the end of an era but also, hopefully, the start of a new one with more equity in technology access!"

    Continue reading
  • Cheers ransomware hits VMware ESXi systems
    Now we can say extortionware has jumped the shark

    Another ransomware strain is targeting VMware ESXi servers, which have been the focus of extortionists and other miscreants in recent months.

    ESXi, a bare-metal hypervisor used by a broad range of organizations throughout the world, has become the target of such ransomware families as LockBit, Hive, and RansomEXX. The ubiquitous use of the technology, and the size of some companies that use it has made it an efficient way for crooks to infect large numbers of virtualized systems and connected devices and equipment, according to researchers with Trend Micro.

    "ESXi is widely used in enterprise settings for server virtualization," Trend Micro noted in a write-up this week. "It is therefore a popular target for ransomware attacks … Compromising ESXi servers has been a scheme used by some notorious cybercriminal groups because it is a means to swiftly spread the ransomware to many devices."

    Continue reading
  • Twitter founder Dorsey beats hasty retweet from the board
    We'll see you around the Block

    Twitter has officially entered the post-Dorsey age: its founder and two-time CEO's board term expired Wednesday, marking the first time the social media company hasn't had him around in some capacity.

    Jack Dorsey announced his resignation as Twitter chief exec in November 2021, and passed the baton to Parag Agrawal while remaining on the board. Now that board term has ended, and Dorsey has stepped down as expected. Agrawal has taken Dorsey's board seat; Salesforce co-CEO Bret Taylor has assumed the role of Twitter's board chair. 

    In his resignation announcement, Dorsey – who co-founded and is CEO of Block (formerly Square) – said having founders leading the companies they created can be severely limiting for an organization and can serve as a single point of failure. "I believe it's critical a company can stand on its own, free of its founder's influence or direction," Dorsey said. He didn't respond to a request for further comment today. 

    Continue reading
  • Snowflake stock drops as some top customers cut usage
    You might say its valuation is melting away

    IPO darling Snowflake's share price took a beating in an already bearish market for tech stocks after filing weaker than expected financial guidance amid a slowdown in orders from some of its largest customers.

    For its first quarter of fiscal 2023, ended April 30, Snowflake's revenue grew 85 percent year-on-year to $422.4 million. The company made an operating loss of $188.8 million, albeit down from $205.6 million a year ago.

    Although surpassing revenue expectations, the cloud-based data warehousing business saw its valuation tumble 16 percent in extended trading on Wednesday. Its stock price dived from $133 apiece to $117 in after-hours trading, and today is cruising back at $127. That stumble arrived amid a general tech stock sell-off some observers said was overdue.

    Continue reading
  • Amazon investors nuke proposed ethics overhaul and say yes to $212m CEO pay
    Workplace safety, labor organizing, sustainability and, um, wage 'fairness' all struck down in vote

    Amazon CEO Andy Jassy's first shareholder meeting was a rousing success for Amazon leadership and Jassy's bank account. But for activist investors intent on making Amazon more open and transparent, it was nothing short of a disaster.

    While actual voting results haven't been released yet, Amazon general counsel David Zapolsky told Reuters that stock owners voted down fifteen shareholder resolutions addressing topics including workplace safety, labor organizing, sustainability, and pay fairness. Amazon's board recommended voting no on all of the proposals.

    Jassy and the board scored additional victories in the form of shareholder approval for board appointments, executive compensation and a 20-for-1 stock split. Jassy's executive compensation package, which is tied to Amazon stock price and mostly delivered as stock awards over a multi-year period, was $212 million in 2021. 

    Continue reading
  • Confirmed: Broadcom, VMware agree to $61b merger
    Unless anyone out there can make a better offer. Oh, Elon?

    Broadcom has confirmed it intends to acquire VMware in a deal that looks set to be worth $61 billion, if it goes ahead: the agreement provides for a “go-shop” provision under which the virtualization giant may solicit alternative offers.

    Rumors of the proposed merger emerged earlier this week, amid much speculation, but neither of the companies was prepared to comment on the deal before today, when it was disclosed that the boards of directors of both organizations have unanimously approved the agreement.

    Michael Dell and Silver Lake investors, which own just over half of the outstanding shares in VMware between both, have apparently signed support agreements to vote in favor of the transaction, so long as the VMware board continues to recommend the proposed transaction with chip designer Broadcom.

    Continue reading

Biting the hand that feeds IT © 1998–2022