LinuxLink Login   |   1.866.392.4897 |   sales@timesys.com    |  Contact Us          
Another record year in vulnerabilities as the CVE storm continues

Another record year in vulnerabilities as the CVE storm continues

The vulnerability storm continues unabated.

The count of security vulnerabilities has reached another annual record, with six weeks remaining in the calendar year. This week the number of Common Vulnerabilities and Exposures (CVEs) hit 14,722, eclipsing last year’s total of 14,714, according to the tracking totals at CVE Details.

CVEs are being added this year at a rate of more than 300 per week on average. If that pace holds, the total should rise by another 2,000 CVEs by year’s end. This means that the vulnerability rate is nearly triple what it was 10 years ago. What does the continuously rising total mean for companies that develop and bring to market embedded systems in this environment?

Vulnerability Management for Product Developers

From a product line management point of view, vulnerability management entails tracking and responding to vulnerabilities that affect your products, both those still in development and those already on the market. So, depending on your particular type of product, this may include the continuous monitoring of vulnerabilities such as in a vulnerability database, tracking security patches issued by component suppliers, and putting in place mitigation to cut the risk of a vulnerability being exploited.

Strictly speaking, the CVE listing published by MITRE is not a vulnerability database like the NIST National Vulnerability Database or the proprietary vulnerability databases offered by some companies. In contrast to standard vulnerability databases, MITRE’s CVE listing doesn’t contain detailed information about the risk associated with a given vulnerability or the mitigation of it. Instead, the CVE list acts as an index of known vulnerabilities that can permit organizations to link these vulnerabilities to the systems that can be affected, so that appropriate mitigate steps, patches and other responses can be planned, coordinated and executed quickly.

You can look at the CVE as a common repository of vulnerability details that should be a jumping off point for your more involved vulnerability management process.

Best Practices for More Secure Products

To that end, here are the best practices that our customers follow in vulnerability management:

1. Vulnerability monitoring

Tracking vulnerabilities often involves subscribing to notification lists, monitoring security research web sites, and staying up-to-date on your component vendors’ security disclosures and patching notifications.

With the majority of products on the market incorporating many different software components, including many open source components, this means a lot of data sources need to be tracked and monitored on a continuous basis.

2. Vulnerability filtering

Only a fraction of the vulnerabilities being publicly disclosed will likely apply to your products, so a portion of your vulnerability management process should focus on sifting through the reported security issues to narrow your focus to those that pertain to the components in your products and the affected versions of those components.

Naturally, to properly analyze this, you also need to have a clear and accurate inventory of components in your products, such as a software bill of materials produced by an open source software scan and analysis.

3. Vulnerability assessment

For the purposes of product line management, the process of vulnerability assessment means analyzing your identified vulnerabilities, evaluating the known exploits that take advantage of them, and then assessing the risk and impact of a security breach that could result.

So your assessment will focus on questions such as whether the affected component is exposed to external access and could be exploited by an attacker.

4. Mitigation

Mitigation involves determining how a vulnerability that poses a security risk can be eliminated or addressed on at least a temporary basis to lessen the breach exposure for your customers. This means mitigation may involve modification of a device configuration in production, a security patch or even a customer advisory directing temporary suspension of product usage until a patch is available.

Another consideration is how a device is deployed and the function it serves, such as in a medical device security context. As was illustrated in the recent Medtronic pacemaker security issue, the software update process itself may be the attack vector by which an attacker could exploit a vulnerability. So the mitigation in that case was for the remote product update service to be deactivated until the security patch could be applied.

5. Patch management

Ultimately a large percentage of vulnerabilities result in the product manufacturer or software component maker issuing a security patch. So patch management is an important part of security maintenance and it should be aligned to the rest of your vulnerability management process.

So, for example, the immediate mitigation of a product with a serious security vulnerability representing a high chance of a breach may be to take it out of production deployment until a patch can be applied.

At Timesys we have two decades of helping device makers bring their products to market, most recently with Internet of Things (IoT) and similar smart devices. In that time, we have seen embedded system security become more important and as more of our projects focus on embedded Linux security, IoT security, and open source software security.

Our Threat Resistance Security Technology (TRST) Product Protection Solutions will assist you with cutting through the continuing storm of vulnerabilities to focus on those that matter to you and your customers.

Our solutions include:

Our highly experienced team is standing by to help you to cut through the CVE storm and bring more secure products to market faster.

Contact us today to learn more.

Adam Boone is VP of Marketing at Timesys. Over two decades, Adam has launched more than 50 solutions in networking, cybersecurity, enterprise applications, telecom and other technology areas. He completed his MBA in Business Strategy at Arizona State and the Marketing Strategy Program at Penn’s Wharton School.

About Timesys

Timesys has extensive experience with embedded system development and lifecycle management. Timesys has been instrumental in working with global leader semiconductor manufacturers with smart, quick and quality solutions for highly complex systems with accelerated product innovation and multiple product variants.

Will more embedded device makers fix security before massive fines force them to do it?

Will more embedded device makers fix security before massive fines force them to do it?

Security of smart devices is getting worse, says a penetration testing expert, who blames suppliers of connected devices that ignore security and privacy issue notifications.

Is the answer more security regulations and laws, or is it better product strategy?

Computer Weekly reported this week on security expert Ken Munro’s comments in a conference presentation in which he blasted many embedded system suppliers for not seeming to care about securing their products.

Continue reading “Will more embedded device makers fix security before massive fines force them to do it?” »

Monitoring and managing vulnerabilities for embedded systems built with Yocto

Monitoring and managing vulnerabilities for embedded systems built with Yocto

The Yocto Project is well known for enabling product developers to quickly and easily customize Linux for Internet of Things (IoT) devices and other embedded systems. But today’s environment is marked by heightened security concerns, skyrocketing vulnerability reports, and high-profile security breaches.

Getting your embedded system product to market fast is important. But getting to market fast without a secure design and a plan for managing future vulnerabilities is a huge mistake. If you design, build and support products with embedded Linux using Yocto, it’s important to evaluate security of your system from the point of view of the end customer who will deploy it.

Continue reading “Monitoring and managing vulnerabilities for embedded systems built with Yocto” »

Security vulnerabilities and medical devices: when the software update itself is the problem

Security vulnerabilities and medical devices: when the software update itself is the problem

A classic security breach vector involves exploiting weak authentication. As security researchers like to point out, failing to change default passwords for administrative access remains the top security issue for all types of IT systems.

But a related — and perhaps more devious — attack vector involves exploiting a weakness in a process that is supposed to help ensure device security in the first place: the remote system update.

Continue reading “Security vulnerabilities and medical devices: when the software update itself is the problem” »

Embedded system security and the IT performance tradeoff

Embedded system security and the IT performance tradeoff

Embedded system products are often deployed by IT managers struggling with a longstanding tradeoff: Should you sacrifice IT performance to make IT more secure?

The performance-or-security tradeoff has been the subject of technology research and industry analysis for many years. The analysis often focuses on issues like network performance or business application performance and how security measures may impede or otherwise affect throughput or access. Continue reading “Embedded system security and the IT performance tradeoff” »

Security testing of embedded open source systems creates a stronger enterprise security posture

Security testing of embedded open source systems creates a stronger enterprise security posture

Researchers and the technology media are reporting that the average application now contains more open source software components than proprietary code. And the use of open source components in embedded systems such as Internet of Things (IoT) devices likewise is on the rise.

How is this trend affecting awareness of embedded system security and open source security best practices? If you bring embedded system products to market with open source components, how do these systems affect your customers’ security postures?

To evaluate these questions, it helps to explore how enterprises test and measure the security of IT systems.

Continue reading “Security testing of embedded open source systems creates a stronger enterprise security posture” »

Security vulnerabilities and the Internet of Things

Security vulnerabilities and the Internet of Things

We’re on the verge of setting another annual record in the number of security vulnerabilities being reported. And more and more vulnerability exploits are targeting the Internet of Things.

Botnet exploits are going after IP cameras. Smart home technologies are being hacked. Even children’s toys are being hacked and used for covert surveillance. And in one bizarre case, hackers gained access to a casino’s systems through a smart thermometer in the lobby fish tank.

But these cases raise the question of what really is a vulnerability?

Continue reading “Security vulnerabilities and the Internet of Things” »

Vulnerability management for Internet of Things and embedded systems

Vulnerability management for Internet of Things and embedded systems

The number of security vulnerabilities continues to skyrocket. After setting a record last year, the number of reported Common Vulnerabilities and Exposures (CVEs) is on pace to set yet another record this year.

In 2017, more than 14,000 CVEs were reported, affecting a vast range of devices, systems and applications. So far in 2018, more than 12,000 CVEs have been reported, and if that pace continues, we should move past last year’s record number in the next two months.

Continue reading “Vulnerability management for Internet of Things and embedded systems” »

Laying down the law on IoT security

Laying down the law on IoT security

IoT device security vaulted into the public consciousness in recent years. Media coverage of successful attacks against IoT devices and supporting systems, botnets powered by compromised devices, and a range of other security issues have raised public concern.

But now California is on the verge of enacting the first actual law in the US to mandate IoT device security.

Unfortunately, according to some in the industry, the bill now awaiting the governor’s signature will do little in its present form to improve the security of IoT, or the companies deploying it, or the people using it.

Continue reading “Laying down the law on IoT security” »

Security at IoT scale

Security at IoT scale

It often helps to look at cybersecurity from the attacker’s point of view.

This approach, in fact, is the foundation of common techniques for penetration testing. That’s when “white hat” hackers will put a company’s IT systems through a range of attacks, looking for security vulnerability issues and defense gaps.

So when we consider Internet of Things device security and the defenses that protect an enterprise’s IoT deployments, it’s important to adopt the mindset of an attacker.

What’s an attacker looking for when they are prepping IoT attacks?

Continue reading “Security at IoT scale” »