- Have The Last Word Against Ransomware with Immutable Backup
- Multi-channel Secure Communication
- Apple's bold idea for no-code apps built with Siri - hype or hope?
- The camera I recommend to most new photographers is not a Nikon or Sony
- I tested LG's new ultrathin 2-in-1, and it handles creative workloads like a dream
Chaos Reigns as MITRE Set to Cease CVE and CWE Operations
The cybersecurity community has reacted with shock and bewilderment at a decision by the US government not to renew MITRE’s contract to manage the Common Vulnerabilities and Exposures (CVE) database.
The non-profit’s CVE program has for a quarter of a century helped the security community manage and mitigate software vulnerabilities, while providing critically important information to power threat intelligence, detection and response and other products.
It provides a publicly available, standardized and centralized resource to track and manage CVEs. These unique identifiers are assigned to each vulnerability and published by authorized CVE Numbering Authorities (CNAs).
It appears as if funding ran out for the program, which has led many to speculate it is a result of the Trump administration’s ‘efficiency’ drive for federal government.
Read more on vulnerabilities: NIST Confusion Continues as Cyber Pros Complain CVE Uploads Stalled
However, experts have criticized the move as shortsighted and ultimately harmful to US national security.
Former CISA director, Jen Easterly, described the CVE system as “one of the most important pillars” in cybersecurity.
“Losing it would be like tearing out the card catalog from every library at once – leaving defenders to sort through chaos while attackers take full advantage,” she added.
“For your business, this could mean: increased risk of breach or ransomware; higher costs for security and compliance; lost trust from customers and regulators.”
Latio Tech analyst, James Berthoty, wrote on LinkedIn, that the “unravelling of a centralized vulnerability disclosure source” lies at the heart of the problem.
“The CVE ecosystem is a complicated mess, and MITRE is the ultimate source of truth making the whole thing work at scale. Without it, security scanners and teams would need to once again rely on incomplete data from a myriad of vendors and source.”
Writing on the same platform, Forescout VP of security intelligence, Rik Ferguson, added that “The impact of this will be huge, and will only benefit the adversary.”
What Happens Next?
Many are confused at what comes next. Security journalist Brian Krebs claimed that CNAs would still be able to assign CVE IDs to vulnerabilities and publish CVE records. However, the absence of a centralized place to view and interact with such data will still be a big loss for the security industry.
“The CVE has an API for CNAs to obtain CVEs, and as long as that’s still running there will be new CVEs,” Krebs added on LinkedIn.
“So, not a complete stop to CVEs being issued. But MITRE does have a more manual process for issuing CVEs to non-CNAs, and that may be impacted this week.”
Image credit: JHVEPhoto / Shutterstock.com
