Developing a systematic program to manage vulnerability disclosure and patching is an important component of any IT and cybersecurity professional’s skillset within the physical security industry. In this article, Hikvision provides details about the process to help you and your organization better handle vulnerabilities.
Vulnerabilities are the bugs, flaws, or weaknesses in applications, operating systems, and software components that threat actors can exploit. The threat landscape is ever-expanding in complexity and attack surfaces. In 2022, over 25,000 new common IT security vulnerabilities and exposures (CVEs) were reported. Between January and April 2023, this number reached 7,489 (Statista.com). Additionally, each PC, smartphone, and server is running an operating system. The growth of the Internet of Things (IoT) connected smart devices like IP video security cameras, smart thermostats, and smart appliances adds to this.
All these computing systems are running software that needs to be updated regularly as new vulnerabilities are discovered and patches are made available by their software vendors. Some of these patches are installed automatically while others require the software end user to install the patches manually. Even when you are up to date with patches, it is likely that you are running vulnerable software but just haven’t found all of the vulnerabilities yet. This is why managing vulnerabilities is essential and should be part of an ongoing program within your organization.
Basics of Vulnerability Management
The basic structure of a vulnerability management program includes these three elements:
1. Discover the vulnerability
2. Report it to the vendor
3. Coordinate public disclosure of the vulnerability with a patch
The process begins with the discovery of a vulnerability. Malicious threat actors (black hat) and ethical security researchers (white hat) are constantly looking for vulnerabilities in popular software. Hackers seek to exploit these vulnerabilities for personal and financial gain. Ethical researchers seek to have these vulnerabilities fixed. Typically, when a security researcher discovers a vulnerability in a product, they will alert the software vendor who owns and manages that product. The researcher then works with the vendor to identify the vulnerability, mitigate it by creating a patch, and test it to ensure that the patch fixes the vulnerability. Once that is completed, we move into the public disclosure component of the process.
Public Disclosure of a Vulnerability
Proper disclosure of a vulnerability patch also requires a responsible, coordinated approach. When an ethical security researcher and a software vendor work together, both parties will wait to inform the public of the vulnerability until a working patch is tested and available for end user download. This action is taken to prevent threat actors from exploiting the vulnerability. The vendor and researcher will agree upon a formal vulnerability disclosure date, at which time the vendor will release a public statement with a link to the patch. Once the patch is officially released, end users will need to install the patch to ensure the vulnerability has been mitigated.
In the early days of computing science, patching was very confusing because there was no naming convention for vulnerabilities. In 1999, the Mitre Corporation aimed to remedy this by creating the CVE database which gave each vulnerability a unique name. This made life quite a bit easier for system administrators. CVE is now the industry standard for vulnerability and exposure identifiers.
In February 2020, Hikvision was designated as a Common Vulnerability and Exposures (CVE) Numbering Authority (CNA), a CVE CNA, by Mitre Corporation for its vulnerability management program. The majority of Hikvision security camera end users have patched known vulnerabilities or do not make devices accessible from the internet, eliminating the risk of a successful hack.
Roles and Responsibilities
Everyone in the physical security industry has a responsibility in the cybersecurity and vulnerability disclosure process.
Software vendors can work with internal teams or external resources to assess your risks and discover vulnerabilities using scanning tools or various databases like the CVE and the National Vulnerability Database (NVD). The CVSS (Common Vulnerability Scoring System) can also help you assess risk with its severity scoring system, enabling an accurate rating of your cybersecurity risk on a scale from “low 0.1-3.9” to “critical 9.0-10.0.”
Organization-wide mitigation efforts require the discovery and responsible disclosure of patches to ensure a robust cybersecurity risk strategy. Understanding the approach can also help you identify and lead better vulnerability responses in the future.
To learn more, download a copy of Hikvision’s Vulnerability Management white paper.