GRC Controls for the NVD Issue 

Common Vulnerabilities and Exposures (CVE) are a crucial source of information on cyber vulnerabilities for organizations and malicious actors alike. The CVE Numbering Authorities (CNA), CVE.org, MITRE, and the National Institute of Standards and Technology (NIST) collaborate to identify and publish known cyber vulnerabilities, helping organizations protect their environments.

Specifically, one of the NVD’s responsibilities is to enrich initial CVE details with:

1. Common Platform Enumeration (CPE): A dictionary of hardware, operating systems, and applications.
2. Common Vulnerability Scoring System (CVSS): A system for measuring the severity of software vulnerabilities.
3. Common Weakness Enumeration (CWE): A taxonomy for identifying common sources of software flaws (e.g., buffer overflows, input validation failures).

The enriched CVEs by NVD are critical for organizations to identify and manage known cyber vulnerabilities using the CPE, CVSS, and CWE data. However, the NVD outputs face several challenges from proper execution and the risks need to be assessed and evaluated.

The Issue at Hand

The reliance on CPE details within a CVE, which can be inaccurately assessed, labeled with non-standardized names, or the product changed due to business conditions, may or may not return the accurate CVE results that are applicable to your organization. If search criteria do not match the CPE ID or name, zero results can be returned. This raises the question: How many unknown cyber vulnerabilities are currently active in your environment?

Many vulnerability management tools depend on the NVD to automatically assess and report on cyber vulnerabilities. There are some tools which use multiple sources and proprietary algorithms to identify enriched details for CVEs, reducing sole reliance on the NVD.

GRC Controls for the NVD Issue

Despite the NVD gaps, Governance, Risk, and Compliance (GRC) techniques offer a proactive approach to reduce or mitigate the risks. Here are GRC methods to manage the current NVD situation:

1. Understand your dependencies on the NVD.
   • Engage with your vulnerability management sources to understand the dependencies.
   • Analyze the outcomes of these discussions and assess the risks.
2. Review your resiliency program for NVD dependencies.
   • Update your Business Impact Analysis (BIA) and value chain assessments.
   • Review your Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) for potential triggers.
   • Practice your Cyber Security Incident Response Plan (CSIRP).
   • Increase the frequency of testing backups for critical systems.
   • Conduct more frequent incident response tabletop exercises excluding known vulnerabilities.
3. Execute risk management processes on your NVD dependencies.
   • Implement temporary monitoring controls for supply chain vendors with access to critical systems.
   • Identify and monitor compensating controls to reduce risk and respond.
   • Update threat models excluding CVE data.
4. Enhance cyber security controls and business processes for monitoring critical systems.
   • Update business processes for monitoring critical systems from resiliency and risk activities
   • Ensure authorized baselines are updated for acceptable traffic.
   • Increase log monitoring for critical systems.
   • Configure SIEM to alert on newly assessed risks.
   • Vendors actively engages as CNA providers will often supply security patches or workarounds on their websites. Try to implement security patches with more diligence versus dependence on mitigations or exceptions. While Vendors offering varying degrees of vulnerability exposures on their website, you should independently assess your exposure via BIA and asset criticality analysis.

Long-Term GRC Controls for the NVD Issue

The mentioned GRC controls for the NVD issue are not temporary fixes but long-term, flexible solutions. The NVD issue is just one of many potential impacts to your organization. Cyber threat actors can still find and exploit vulnerabilities, even without NVD notifications. However, the NVD is not accurately notifying organizations of the necessary CVE details to take action. Implementing all the mentioned GRC controls may not always be feasible or cost-effective, and each should be evaluated for your organization. The GRC controls provide ongoing benefits and, if removed, can be re-implemented as needed.

I am not advocating to eliminate current dependencies on CVE data, but to augment and strengthen your cyber defences with additional GRC controls. The CVEs are not a silver bullet to your cyber hygiene and posture. By focusing on what you can control, such as applying GRC within your environment, you can better manage the risks associated with the NVD issue and other subjects that also present unknown risks.

Additional Information on the NVD Issue

The NVD issue holds many details and complexities which are not easily explained in a single blog or source. To understand further, please visit Tom Alrich’s blogs, where he offers detailed analysis and potential remedies for the NVD issue. Tom is a well-connected source of information and has his finger on the NVD pulse, among others.

• The NVD responds to concerns although not well
  • https://tomalrichblog.blogspot.com/2024/03/the-nvd-responds-to-concerns-although.html
• Just some of the many problems with CPE names
  • https://tomalrichblog.blogspot.com/2024/07/just-some-of-many-problems-with-cpe.html
• Its September 30. Do you know where your CVE backlog is?
  • https://tomalrichblog.blogspot.com/2024/10/its-september-30-do-you-know-where-your.html

By focusing on what you can control, such as applying GRC within your environment, you can better manage the risks associated with the NVD backlog and other vulnerabilities.