Posted on Apr 25, 2016
What should an InfoSec newbie learn about CVE (Common Vulnerabilities and Exposures) ?
6.82K
5
10
1
1
0
I'm trying to figure out how these numbers are populated and what's important to know about the cvedetails.com website.
https://www.hackread.com/apples-os-x-most-vulnerable-software-of-2015/
https://www.hackread.com/apples-os-x-most-vulnerable-software-of-2015/
Edited >1 y ago
Posted >1 y ago
Responses: 2
Here's a link to some key info on CVEs https://cve.mitre.org/about/faqs.html
Things I pay attention to: start with current year vulnerabilities. There is a good chance the owner has worked to remediate or mitigate earlier issues (but not always). Look at the higher score first (i.e. 10 va 4.8). Then see what it it effects. Then check the DISA STIG site to see if there are STIGs that address the vulnerability. If not, then ask the manufacturer what they are going to do about the vulnerability - and use the CVE number in that correspondence.
Things I pay attention to: start with current year vulnerabilities. There is a good chance the owner has worked to remediate or mitigate earlier issues (but not always). Look at the higher score first (i.e. 10 va 4.8). Then see what it it effects. Then check the DISA STIG site to see if there are STIGs that address the vulnerability. If not, then ask the manufacturer what they are going to do about the vulnerability - and use the CVE number in that correspondence.
CVE - Frequently Asked Questions
Common Vulnerabilities and Exposures (CVE) is a dictionary of common names (i.e., CVE Identifiers) for publicly known information security vulnerabilities. CVE's common identifiers enable data exchange between security products and provide a baseline index point for evaluating coverage of tools and services.
(1)
(0)
SGT (Join to see)
COL Jim Kohlmann - Thanks for sharing, sir. Never heard of InfoSec Institute. I see their programs are paid. I plan to try to get Linux + from VCTP at Syracuse University and then I'll hopefully remember to check my bookmarks for this. My Sec + expired already, and I figured if I get Linux +/LPIC-1, I can advance in LPIC-2/3. Do you have any thoughts on this ?
(0)
(0)
COL Jim Kohlmann
Lots of work In Linux, and advance certification there is great. However, those certs don't work for DoD 8570 - So if you want to work in DoD, get recertified. Long term, the higher paying job go with the tougher certs. I'd recommend shooting for a CISSP cert, which will qualify you for just about any Cybersecurity job. And while you are working on that, don't let any cert you have lapse!
(1)
(0)
SGT (Join to see)
COL Jim Kohlmann - I want to work with Linux. I don't care much about DoD, although I have considered working with Red Hat. And CISSP. . . I'll have to check that out again sometime. Thanks again.
(1)
(0)
COL Jim Kohlmann
SGT (Join to see) - Sounds like you know what you want to do - that's half the battle. Good luck!
(0)
(0)
What they are and what information they provide. Also, you should know where to find them and how they can be exploited.
(0)
(0)
SGT (Join to see)
The number of vulnerabilities. They're from the initial download, right? If you do hardening on the software, ie. linux kernel or any desktop OS, that can affect the total number, right ?
(0)
(0)
Read This Next