Vulnerability Management Part 2: Public Disclosure of a Vulnerability
In last week’s blog, we discussed what vulnerabilities are and the basic structure of a vulnerability management program. In today’s blog, we’ll cover the public disclosure component of the process.
Public Disclosure of a Vulnerability
Proper disclosure of a patch also requires a responsible, coordinated approach. When an ethical security researcher and a software vendor work together, both parties will wait to inform the public of the vulnerability until a working patch is tested and available for end user download. This action is taken to prevent threat actors from exploiting the vulnerability. The vendor and researcher will agree upon a formal vulnerability disclosure date, at which time the vendor will release a public statement with a link to the patch. Once the patch is officially released, end users will need to install the patch to ensure the vulnerability has been mitigated.
In the early days of computing science, patching was very confusing because there was no naming convention for vulnerabilities. In 1999, the Mitre Corporation aimed to remedy this by creating the CVE database which gave each vulnerability a unique name. This made life quite a bit easier for system administrators. CVE is now the industry standard for vulnerability and exposure identifiers.
In 2020, Hikvision was designated as a Common Vulnerability and Exposures (CVE) Numbering Authority (CNA), a CVE CNA, by Mitre Corporation for its vulnerability management program. The majority of Hikvision security camera end users have patched known vulnerabilities or do not make devices accessible from the internet, eliminating the risk of a successful hack.
Recent reports have also incorrectly noted the use of default passwords for Hikvision devices, when in actuality, default passwords have not been used since March of 2015.
Roles and Responsibilities
Everyone in the physical security industry has a responsibility in the cybersecurity and vulnerability disclosure process.
Software vendors can work with internal teams or external resources to assess your risks and discover vulnerabilities using scanning tools or various databases like the CVE and the National Vulnerability Database (NVD). The CVSS (Common Vulnerability Scoring System) can also help you assess risk with its severity scoring system, enabling an accurate rating of your cybersecurity risk on a scale from “low (0.1-3.9)” to “critical (9.0-10.0).”
Organization-wide mitigation efforts require the discovery and responsible disclosure of patches to ensure a robust cybersecurity risk strategy. Understanding the approach can also help you identify and lead better vulnerability responses in the future.
Learn more about vulnerabilities in our recent white paper.