The acronym CVE has develop into synonymous with vulnerability. And maybe rightly so – it’s a handy, distinctive identifier that makes it straightforward for individuals to trade details about the vulnerability, and the state of that vulnerability inside a company. Sadly, the CVE system may be very deceptive as a result of, whereas it does cowl software program vulnerabilities and may be useful software for patching and vulnerability administration packages, software program vulnerabilities signify solely a small fraction of the problems driving threat to your group.
If we ignore the generally accepted infosec definition of the phrase vulnerability, and as a substitute take a look at the English language definition of a vulnerability, the distinction is obvious. In infosec, vulnerability normally means CVE. The true definition of vulnerability, nonetheless, is, “the standard or state of being uncovered to the opportunity of being attacked or harmed.” Actually there are extra ways in which an adversary can “assault or hurt” your group than through unpatched software program vulnerabilities.
The highest 9 vulnerabilities with no assigned CVE quantity
So what are all of those vulnerabilities that aren’t assigned a CVE? Principally, something aside from a CVE.
- Compromised Credentials – password associated points are nonetheless liable for greater than 80% of breaches, and 99% of customers reuse passwords between work and private accounts. With compromises of shopper companies on a close to each day foundation, the chances that a few of your customers’ work passwords have already been compromised is extraordinarily excessive. Suppose that is much less vital than that prime severity CVE that made the information final week however has by no means been exploited within the wild?
- Weak Passwords – weak passwords are prone to brute drive and dictionary assaults, giving affected person attackers a leg up in your unsuspecting customers (and cyber defenses). Be certain that you’re utilizing multifactor authentication, password administration software program, and the newest NIST suggestions on password insurance policies.
- Unknown Property – 60% of organizations imagine they’re conscious of fewer than 75% of the belongings with entry to company info programs. In a company with 10,000 belongings, meaning there are 2,500 unknown belongings with entry to the company community. There isn’t any approach to patch or handle these belongings, and the group actually doesn’t know what they’re. It is a enormous vulnerability and, you guessed it, no CVE for this one both. IT asset stock is perhaps essentially the most generally ignored main vulnerability within the enterprise.
- Dangerous Shopping Exercise – solely 48% of organizations have satisfactory visibility into phishing threat, regardless of 89% believing that phishing is their highest threat vulnerability. Dangerous searching and total IT asset use results in elevated threat of phishing, malware an infection, and an entire host of extra points.
- Lacking or Weak Encryption – Encryption of each data-at-rest and data-in-transit is an info safety greatest follow, but solely 29% of knowledge safety professionals have visibility into whether or not and the place encryption is getting used throughout their group.
- Misconfiguration – default usernames and passwords, disabled encryption, and inadvertent public sharing of cloud databases are however a number of of the misconfiguration associated vulnerabilities that hackers have exploited with nice success.
- Belief Relationships – it’s well-known that attackers generally transfer laterally throughout networks after exploiting a weak or weak system. Since this vulnerability in belief relationships between programs is regularly ignored, one weak system can result in compromised of different, higher protected essential programs.
- Elevated Privileges – Almost 1 in 5 organizations report that the majority or all customers have extra entry privileges than required for his or her job, with 48% of organizations report at the least some customers with unnecessarily elevated privileges. Extra privileges means extra threat – threat that you simply don’t have to tackle.
- Malicious Insiders – malicious insider exercise is notoriously troublesome to establish as a result of these are the identical people that want entry to delicate info as a way to get their jobs achieved.
If any of those sound like points that your group’s present vulnerability scanner is overlooking, Balbix can assist. Balbix’s Breach Methodology Matrix seems at 9 lessons of vulnerabilities (together with unpatched software program CVEs) to supply a complete take a look at all the pieces driving threat in your group.
Balbix BMM covers your chance of threat through:
- Weak Credentials
- Phishing, Net and Ransomware
- Belief Relationship
- Compromised Credentials
- Unpatched Property
- Malicious Insiders
- Lacking/Poor Encryption
- Zero Day & Unknown Strategies
Request a demo at this time to study extra about how the Balbix platform can assist lengthen your vulnerability administration program far past simply CVEs.
See a Stay Balbix Demo Right now