词条 | Vulnerability database |
释义 |
A vulnerability database is a platform aimed at collecting, maintaining, and disseminating information about discovered vulnerabilities targeting computer systems. The database will customarily describe the identified vulnerability, assess the potential impact on affected systems, and any workarounds or updates to mitigate the issue. For a hacker to surmount a system's information assurance, three elements must apply: a susceptibility within the system, access to the susceptibility, and the ability to exploit the susceptibility. Types of vulnerability databasesMajor vulnerability databases such as the ISS X-Force database, Symantec / SecurityFocus BID database, and the Open Source Vulnerability Database (OSVDB) [OSVDB was shut down in April 2016; a paid service VulnDB took their place] aggregate a broad range of publicly disclosed vulnerabilities, including Common Vulnerabilities and Exposures (CVE). The primary purpose of CVE, run by MITRE, is to attempt to aggregate public vulnerabilities and give them a standardized format unique identifier.[1] Many vulnerability databases develop the received intelligence from CVE and investigate further providing vulnerability risk scores, impact ratings, and the requisite workaround. In the past, CVE was paramount for linking vulnerability databases so critical patches and debugs can be shared to inhibit hackers from accessing sensitive information on private systems.[2] The National Vulnerability Database (NVD), run by the National Institute of Standards and Technology (NIST), is operated separately from the MITRE-run CVE database, but only includes vulnerability information from CVE. NVD serves as an enhancement to that data by providing Common Vulnerability Scoring System (CVSS) risk scoring and Common Platform Enumeration (CPE) data. The Open Source Vulnerability Database provides an accurate, technical and unbiased index on vulnerability security. The comprehensive database cataloged over 121,000 vulnerabilities spanning a 113-year period. The OSVDB was founded in August 2002 and was launched in March 2004. In its primitive beginning, newly identified vulnerabilities were investigated by site members and explanations were detailed on the website. However, as the necessity for the service thrived, the need for dedicated staff resulted in the inception of the Open Security Foundation (OSF) which was founded as a non-profit organisation in 2005 to provide funding for security projects and primarily the OSVDB.[3] The National Vulnerability Database is a comprehensive cyber security vulnerability database formed in 2005 that reports on CVE. The NVD is a primary cyber security referral tool for individuals and industries alike providing informative resources on current vulnerabilities. The NVD holds in excess of 50,000 records and publishes 13 new entries daily on average. Similar to the OSVDB, the NVD publishes impact ratings and categorises material into an index to provide users with an intelligible search system.[4] A variety of commercial companies also maintain their own vulnerability databases, offering customers services which deliver new and updated vulnerability data in machine-readable format as well as through web portals. Examples include Symantec's DeepSight[5] portal and vulnerability datafeed, Secunia's (purchased by Flexera) vulnerability manager[6] and Accenture's vulnerability intelligence service [7](formerly iDefense). Vulnerability databases advise organisations to develop, prioritize and execute patches or other mitigations which endeavour to rectify critical vulnerabilities. However, this can often lead to the creation of additional susceptibilities as patches are created hastily to thwart further system exploitations and violations. Depending upon the level of a user or organisation, they warrant appropriate access to a vulnerability database which provides the user with disclosure of known vulnerabilities that may affect them. The justification for limiting access to individuals is to impede hackers from being versed in corporation system vulnerabilities which could potentially be further exploited.[8] Use of vulnerability databasesVulnerability databases contain a vast array of identified vulnerabilities. However, few organisations possess the expertise, staff and time to revise and remedy all potential system susceptibilities hence vulnerability scoring is a method of quantitatively determining the severity of a system violation. A multitude of scoring methods exist across vulnerability databases such as US-CERT and SANS Institute's Critical Vulnerability Analysis Scale but the Common Vulnerability Scoring System (CVSS) is the prevailing technique for most vulnerability databases including OSVDB, vFeed[9] and NVD. The CVSS is based upon three primary metrics: base, temporal and environmental which each provide a vulnerability rating.[10] BaseThis metric covers the immutable properties of a vulnerability such as the potential impact of the exposure of confidential information, the accessibility of information and the aftermath of the irretrievable deletion of information. TemporalThe temporal metrics denote the mutable nature of a vulnerability for example the credibility of an exploitability, the current state of a system violation and the development of any workarounds that could be applied.[11] EnvironmentalThis aspect of the CVSS rates the potential loss to individuals or organisations from a vulnerability. Furthermore, it details the primary target of a vulnerability ranging from personal systems to large organisations and the number of potentially affected individuals.[12] The complication with utilising different scoring systems it that there is no consensus on the severity of a vulnerability thus different organisations may overlook critical system exploitations. The key benefit of a standardised scoring system like CVSS is that published vulnerability scores can be assessed, pursued and remedied rapidly. Organisations and individuals alike can determine the personal impact of a vulnerability on their system. The benefits derived from vulnerability databases to consumers and organisations are exponential as information systems become increasingly embedded, our dependency and reliance on them grows, as does the opportunity for data exploitation.[13] Common security vulnerabilities listed on vulnerability databasesInitial deployment failureAlthough the functionality of a database may appear unblemished, without rigorous testing, the exiguous flaws can allow hackers to infiltrate a system's cyber security. Frequently, databases are published without stringent security controls hence the sensitive material is easily accessible.[14] SQL injectionDatabase attacks are the most recurrent form of cyber security breaches recorded on vulnerability databases. SQL and NoSQL injections penetrate traditional information systems and big data platforms respectively and interpolate malicious statements allowing the hackers unregulated system access.[15] Misconfigured databasesEstablished databases ordinarily fail to implement crucial patches suggested by vulnerability databases due to an excessive workload and the necessity for exhaustive trialling to ensure the patches update the defective system vulnerability. Database operators concentrate their efforts into major system deficiencies which offers hackers unmitigated system access through neglected patches.[16] Inadequate auditingAll databases require audit tracks to record when data is amended or accessed. When systems are created without the necessary auditing system, the exploitation of system vulnerabilities are challenging to identify and resolve. Vulnerability databases promulgate the significance of audit tracking as a deterrent of cyber attacks.[17] Data protection is essential to any business as personal and financial information is a key asset and the purloining of sensitive material can discredit the reputation of a firm. The implementation of data protection strategies is imperative to guard confidential information. Some hold the view that is it the initial apathy of software designers that in turn, necessitates the existence of vulnerability databases. If systems were devised with greater diligence, they may be impenetrable from SQL and NoSQL injections making vulnerability databases redundant.[18] References1. ^{{cite web|title=Common Vulnerabilities and Exposures (CVE)|url=http://cve.mitre.org/|website=Cve.mitre.org|accessdate=1 November 2015}} 2. ^{{cite journal|last1=Yun-Hua|first1=G|last2=Pei|first2=L|title=Design & Research on Vulnerability Databases|date=2010|pages=209–212}} 3. ^{{cite journal|last1=Karlsson|first1=M|title=The Edit History of the National Vulnerability Database and similar Vulnerability Databases|date=2012}} 4. ^{{cite web|title=NVD Primary Resources|url=https://nvd.nist.gov/|website=National Vulnerability Database|accessdate=1 November 2015}} 5. ^{{Cite web|url=https://www.symantec.com/services/cyber-security-services/deepsight-intelligence/technical-intelligence|title=DeepSight Technical Intelligence {{!}} Symantec|website=www.symantec.com|access-date=2018-12-05}} 6. ^{{Cite web|url=https://www.flexera.com/products/software-vulnerability-management/software-vulnerability-manager.html|title=Secunia's Vulnerability Manager|last=|first=|date=|website=|archive-url=|archive-date=|dead-url=|access-date=}} 7. ^{{Cite web|url=https://www.accenture.com/t20170721T105740Z__w__/us-en/_acnmedia/PDF-57/Accenture-IDefense-Vulnerability-Intelligence.pdf|title=Accenture Vulnerability Intelligence|last=|first=|date=|website=|archive-url=|archive-date=|dead-url=|access-date=}} 8. ^{{cite book|last1=Erickson|first1=J|title=Hacking - The Art of Exploitation|date=2008|publisher=No Starch Press|location=San Francisco|isbn=1593271441|edition=1st}} 9. ^{{cite web|last1=vFeed|title=vFeed Correlated Vulnerability and Threat Intelligence |url=https://vfeed.io}} 10. ^{{cite web|last1=First|title=Common Vulnerability Scoring System (CVSS-SIG)|url=http://www.first.org/cvss|accessdate=1 November 2015}} 11. ^{{cite journal|last1=Mell|first1=P|last2=Romanosky|first2=S|title=Common Vulnerability Scoring System|journal=IEEE Security and Privacy Magazine|date=2006|volume=4|issue=6|pages=85–89}} 12. ^{{cite book|last1=Hayden|first1=L|title=IT Security Metrics|date=2010|publisher=McGraw Hill|location=New York|edition=1st}} 13. ^{{cite journal|last1=Chandramouli|first1=R|last2=Grance|first2=T|last3=Kuhn|first3=R|last4=Landau|first4=S|title=Common Vulnerability Scoring System|date=2006|pages=85–88}} 14. ^{{cite web|title=The Most Significant Risks of 2015 and How to Mitigate Them|url=http://www.imperva.com/docs/wp_topten_database_threats.pdf|website=Imperva|accessdate=2 November 2015}} 15. ^{{cite journal|last1=Natarajan|first1=K|last2=Subramani|first2=S|title=Generation of Sql-injection Free Secure Algorithm to Detect and Prevent Sql-Injection Attacks|journal=Procedia Technology|date=2012|volume=4|pages=790–796}} 16. ^{{cite journal|title=Vulnerability Database - Top 1000 Flaws|journal=Network Security|date=2001|volume=8|issue=6}} 17. ^{{cite book|last1=Afyouni|first1=H|title=Database Security & Auditing|date=2006|publisher=Thomson Course Technology|location=Boston|isbn=|edition=1st}} 18. ^{{cite book|last1=Sirohi|first1=D|title=Transformational Dimensions of Cyber Crime|date=2015|publisher=Vij Books|location=India|pages=54–65}} 2 : Computer security exploits|Types of databases |
随便看 |
|
开放百科全书收录14589846条英语、德语、日语等多语种百科知识,基本涵盖了大多数领域的百科知识,是一部内容自由、开放的电子版国际百科全书。