With cyber risks rated as one of the top concerns for businesses worldwide, ensuring your security system is protected against cyberattack is vital. A vulnerability within your system could expose your data, allow unauthorised access into your buildings or provide an entry point for hackers to enter your systems.
Through the practice of logging Common Vulnerabilities and Exposures (CVE), security vendors can help ensure customers are aware of any potential risks within their systems and enable them to access information and tools to mitigate the risks. If a vulnerability is discovered, logging a CVE is considered best practice to ensure customers are fully aware of cybersecurity risks; however, only a handful of physical security and video management vendors have published CVE’s.
CVE is an industry standard list of common identifiers for publicly known cybersecurity vulnerabilities. CVE provides a single unique identifier to each vulnerability or exposure, which allows quick and accurate access to information, tools, or services designed to fix an issue, across multiple sources. CVE is free and publicly available information.
The CVE database is widely used by IT product and service vendors, but there are many potential reasons why security vendors may not consider the need to behave like IT vendors when it comes to their critical enterprise software systems.
Traditionally, facilities departments have been responsible for overseeing physical security systems within organisations; however, as security technologies have evolved and integrated systems have become common place, IT departments are becoming increasingly involved in managing security system requirements and updates.
It is also possible some security vendors are concerned about the poor perception of publicly announcing their vulnerabilities. Most security vendors will be fixing and releasing updates in response to vulnerabilities within their system, although some will be releasing these without publicising them out of fear their customers will view the information negatively and believe they are operating a weak security system.
The reality is most security systems will present vulnerabilities. Sneaking out system fixes leaves customers with no way of knowing their version of their application has vulnerabilities which could compromise the security of their system. Logging a CVE ensures this information is easily accessible and that customers have a chance to upgrade to mitigate any risks that could leave them vulnerable to attack.
Responsible disclosure process
If a person discovers a vulnerability within a system, the normal process is to report it directly to the vendor and keep the issue confidential for a period of 90 days. This allows the vendor an opportunity to fix the problem or issue a patch before the vulnerability becomes public information. At the end of the 90 days, the vendor or the person who discovered the vulnerability can log a CVE. Anyone can log a vulnerability or exposure within an application via CVE.mitre.org.
Organisations can subscribe to CVE feeds to receive updates on vulnerabilities. If a security vendor logs an issue, they will usually simultaneously inform their customers and provide information on how to mitigate the risk. But emails can get lost or go unopened and customers are unlikely to regularly check a vendor’s website for security advisory updates. CVE feeds can help ensure customers are informed in a timely manner, giving them a chance to act before an issue becomes a major security concern.
It is in a security vendor’s best interests to log CVE’s for any known vulnerabilities to ensure their customers can stay up to date and protected against emerging cyber risks.
By Steve Bell, Chief Technology Officer at Gallagher