Airbus Protect explains: Vulnerability Management

CPE Version 2.3 Fields and Their Meaning

This standard is a structured naming system, managed by MITRE, used to uniquely identify software and hardware platforms by assigning a standardised identifier to each specific product or version. We identify all vulnerabilities affecting this product version, then draft the security bulletin, which is sent to inform our clients of specific risks and mitigation steps.

After receiving a security bulletin, a contextual analysis is performed to evaluate the actual impact on the monitored projects. It aims to identify vulnerable components (software, OS, libraries, etc.) and then analyse their role within the project’s specific environment. This approach allows for a better understanding of risks and prioritisation of corrective measures.

Risk Qualification within Each Impacted Project

When we talk about a vulnerability, we’re actually referring to a specific entry in the “CVE” (Common Vulnerabilities and Exposures) glossary. This system provides a method for publicly sharing information about cybersecurity vulnerabilities and exposures. Each vulnerability has a unique identifier that differentiates it for monitoring purposes.

When analysts assess a vulnerability, they use a centralised methodology known as CVSS (Common Vulnerability Scoring System) to ensure consistency. CVSS scores each vulnerability from 0 to 10 to detail the impact, exploitation methods, and potential severity. This is calculated based on three metrics:

Base Score : This score is calculated based on various sub-scores. For example, how can this vulnerability be exploited (via physical access, an adjacent local network, or the internet)? How complex is it? Does the attacker need to be authenticated? And what impact does it have on the three core principles of information security: confidentiality, integrity, and availability? Once calculated, a vulnerability’s base score remains constant.

Temporal Score : This score changes based on the timeliness of a vulnerability. For example, have patches been released? Have attackers developed new exploits?

Environmental Score : This is the most variable score. The impact of a CVE can vary depending on the specific company or project being monitored. For instance, if a network is isolated from the outside world by its configuration, then a vulnerability with a local attack vector will present minimal risk. These metrics differentiate the importance of each component or group of components within the system and are usually calculated upstream by our clients.

For each affected project, the potential impact of the vulnerability is assessed by considering factors such as system criticality, data handled, affected users, and potential access to sensitive resources. Based on this, risks are qualified and prioritised, by assigning a criticality score (e.g., using the CVSS system). This determines which vulnerabilities should be addressed first and how resources should be allocated to effectively respond to the threat.

The team also updates the scope of critical and vulnerable systems using dedicated tools and offers personalised technical support. Furthermore, they actively communicate with clients and partners, providing clear advice and explanations on security reports, new threats, and recommended practices, thereby fostering informed decisions to strengthen their security.

Active Vulnerability Management

Active vulnerability monitoring utilises completely different tools. In this case, we monitor our clients’ information systems using a detection tool that probes the perimeter for vulnerabilities. The goal is to identify them and inform clients that they need to apply patches as quickly as possible. We then help clients implement a comprehensive strategy to enhance their SI security. This means not only detecting and managing vulnerabilities but also reducing overall exposure to cyberattacks, whether from external sources (hackers, malware) or internal ones (human error, misconfiguration). To achieve this, we offer consulting, analysis, and vulnerability management services, while also helping our clients adopt proactive practices to secure their systems.

Each perimeter (network, web applications, cloud infrastructure, etc.) has its own vulnerabilities and challenges, so our approach is always customised. The Active Vulnerability team therefore provides technical support to resolve issues and optimise tools, supports Proof of Concept (POC) phases to demonstrate the suitability of a given solution, and actively participates in the deployment of new solutions, ensuring a smooth and personalised integration.

For critical security flaws, rapid action is imperative. The goal is to block exploitation and ensure business continuity. To this end, asset prioritisation is essential. Focusing efforts on the most critical systems, applications, and data (financial information, personal data) optimises resource allocation and maximises risk reduction. The criteria include criticality, connectivity, and likelihood of attack.

Mitigation Strategies: Temporary Solutions to Limit Risks

While waiting for permanent patches, temporary mitigation measures are indispensable. Strengthening access controls, network segmentation, intrusion detection systems, and strict filtering all serve as barriers to reduce the attackers’ window of opportunity.

Conclusion: Proactivity, Collaboration, and Vigilance: Keys to Robust Cybersecurity

Proactive vulnerability management is essential for large organisations. Continuous identification, rigorous assessment, and rapid response are crucial to protect the organisation, preserve trust, and ensure compliance. Close collaboration between vulnerability management experts and the CSIRT (Computer Security Incident Response Team) and SOC (Security Operations Center) is fundamental for a coordinated and effective response to incidents, thereby strengthening the organisation’s defenses.

Interested in Airbus Protect’s services?