I read an article recently in Dark Reading that described the research done by the firm Risk Based Security that showed that at least 33% of all disclosed vulnerabilities are missing from the CVE and NVD databases. Why? Because these databases include only the vulnerabilities that security vendors and researchers directly report to them. All other software vulnerabilities are missing from the CVE and NVD databases. And many of those missing vulnerabilities are critical in severity.
Of course, this missing information means that, since most scanning tools use the CVE and NVD databases as their source of truth, enterprise security managers often have an incomplete picture of software vulnerabilities on their networks.
As interesting as this was, I say: Why stop the analysis here? Software vulnerabilities are just the tip of the iceberg. There are many kinds of technical vulnerabilities that have nothing to do with software CVEs but are caused by how the device has been designed and/or how you have (or have not) configured it when you (or someone) deployed it. For example:
As an example, several of the factors listed above apply to Smart TVs, and recently the FBI reminded consumers how vulnerable Smart TVs are to being attacked. The FBI bulletin did not go into details, but I would say that Smart TVs frequently suffer from four of the five vulnerabilities listed above. (I don’t think they store data, but wow, they sure transmit it.)
One story that Armis sales people love to tell to new customers is the time that Armis found a Smart TV that had been installed in a conference room. It had been infected with malware, and the malware was attempting to propagate to nearby devices via the TV’s built-in Wi-Fi hotspot and Bluetooth radio. Since Armis’ discovery of Blueborne in 2017, Bluetooth has been a known propagation vector, but most enterprise security tools don’t monitor Bluetooth and therefore can’t detect malicious Bluetooth activity. Armis can. Our customer was pleased.
Looking back at the list above, it is clear that this compromised Smart TV bore two technical vulnerabilities:
One of the capabilities that Armis’ agentless device security platform enables is the ability to perform vulnerability assessments against all forms of devices including traditional IT, OT, enterprise IoT and consumer IoT. We have designed our platform in a way that can discover both software vulnerabilities (CVEs) and many other types of device vulnerabilities, including those listed above. In this way, we provide our customers with more complete information about vulnerabilities in their environment, not just the “tip of the iceberg” information that resides inside CVE and NVD databases. For more details on Armis’ capabilities, check out this solution brief.
What do you think? I’d love to hear from you. Contact me at [email protected]
Sign up to receive the latest news