What should an InfoSec newbie learn about CVE (Common Vulnerabilities and Exposures) ?

SGT Private RallyPoint Member — Mon, 25 Apr 2016 17:08:21 -0400

I'm trying to figure out how these numbers are populated and what's important to know about the cvedetails.com website.

https://www.hackread.com/apples-os-x-most-vulnerable-software-of-2015/

Surprise, Apple’s OS X comes out as most vulnerable software of 2015

In a study conducted by CVE Details, the most vulnerable software of the previous year has been identified as Apple’s OS X and the tech-giant is also the c

Response by SSG Derek Scheller made Apr 25 at 2016 5:10 PM

SSG Derek Scheller — Mon, 25 Apr 2016 17:10:19 -0400

What they are and what information they provide. Also, you should know where to find them and how they can be exploited.

Response by COL Jim Kohlmann made Apr 25 at 2016 9:05 PM

COL Jim Kohlmann — Mon, 25 Apr 2016 21:05:42 -0400

Here's a link to some key info on CVEs https://cve.mitre.org/about/faqs.html
Things I pay attention to: start with current year vulnerabilities. There is a good chance the owner has worked to remediate or mitigate earlier issues (but not always). Look at the higher score first (i.e. 10 va 4.8). Then see what it it effects. Then check the DISA STIG site to see if there are STIGs that address the vulnerability. If not, then ask the manufacturer what they are going to do about the vulnerability - and use the CVE number in that correspondence.

CVE - Frequently Asked Questions

Common Vulnerabilities and Exposures (CVE) is a dictionary of common names (i.e., CVE Identifiers) for publicly known information security vulnerabilities. CVE's common identifiers enable data exchange between security products and provide a baseline index point for evaluating coverage of tools and services.