NIST Deprioritizes Pre-2018 CVEs Amid Backlog and New Threats

Article Highlights
Off On

The US National Institute of Standards and Technology (NIST) recently made a significant decision affecting the cybersecurity landscape by marking all Common Vulnerabilities and Exposures (CVEs) published before January 1, 2018, as “Deferred” in the National Vulnerability Database (NVD). This move impacts over 20,000 entries and potentially up to 100,000, signaling that these CVEs will no longer be prioritized for further enrichment data updates unless they appear in the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog. NIST’s decision comes in response to an ongoing struggle with a growing backlog in processing vulnerability data, exacerbated by a 32% surge in submissions in the past year.

An Overwhelming Backlog and Strategic Reprioritization

NIST’s challenges in processing and enriching the vast amount of incoming data have delayed its goal of clearing the backlog by the end of fiscal year 2024. In response, NIST is developing new systems to handle these issues more efficiently. Industry experts consider this move practical given the complexities of managing vulnerabilities at scale. Ken Dunham from Qualys describes it as an evolution in the face of changing cyber threats. Meanwhile, Jason Soroko from Sectigo interprets this as a strategic reprioritization, with resources redirected towards addressing emerging threats, assuming that legacy issues have been mitigated through routine patch management practices. The responsibility for managing deferred CVEs now shifts more heavily onto organizations. For security teams, this means identifying and monitoring legacy systems, prioritizing the patching of deferred vulnerabilities, and hardening or segmenting outdated infrastructure. Using real-time threat intelligence to detect attempts at exploiting these vulnerabilities becomes crucial. This shift highlights a broader trend where organizations must adopt proactive risk management strategies due to the increasing volume of CVEs and limited resources available to handle them.

Embracing Advanced Technology for Improved Efficiency

In addressing its backlog, NIST is also exploring the potential use of artificial intelligence (AI) and machine learning to streamline the processing of vulnerability data. This move reflects an ongoing trend in the cybersecurity industry toward leveraging advanced technologies for more efficient management of vulnerabilities. By incorporating AI and machine learning, NIST aims to ensure that both older and newer vulnerabilities receive appropriate attention within the constraints of available resources. This nuanced approach to cybersecurity management underscores the need for a balance between addressing legacy vulnerabilities and staying ahead of emerging threats. Organizations are encouraged to adopt similar strategies, using technology to enhance their cybersecurity efforts and ensure comprehensive coverage of potential vulnerabilities. This shift in focus not only addresses immediate backlog issues but also sets the stage for more sustainable and scalable vulnerability management practices in the future.

New Paradigm for Cybersecurity Management

The US National Institute of Standards and Technology (NIST) has recently made a crucial decision that impacts the cybersecurity domain by designating all Common Vulnerabilities and Exposures (CVEs) published before January 1, 2018, as “Deferred” in the National Vulnerability Database (NVD). This adjustment affects over 20,000 entries and potentially up to 100,000, indicating that these CVEs will no longer receive prioritized updates for enrichment data unless they are listed in the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog. NIST’s decision is a response to an ongoing challenge with a growing accumulation of vulnerability data, which has been aggravated by a 32% increase in submissions over the past year. This strategic shift aims to address the backlog more effectively and allocate resources more efficiently, ensuring newer and more critical vulnerabilities receive the attention they require for maintaining robust cybersecurity measures.

Explore more

How Does Ghost Tapping Threaten Your Digital Wallet?

In an era where contactless payments have become a cornerstone of daily transactions, a sinister scam known as ghost tapping is emerging as a significant threat to financial security, exploiting the very technology—near-field communication (NFC)—that makes tap-to-pay systems so convenient. This fraudulent practice turns a seamless experience into a potential nightmare for unsuspecting users. Criminals wielding portable wireless readers can

How Does Captive Fit Transform Insurance Risk Management?

I’m thrilled to sit down with a leading expert in captive insurance solutions to discuss a groundbreaking development in the field. With years of experience in risk management and financial analytics, our guest today offers unparalleled insight into optimizing insurance strategies for organizations worldwide. We’re diving into the recent launch of Captive Fit, a new analytical tool designed to revolutionize

Why Does Insurance Need Specialized AI Like InsurGPT?

Setting the Stage: A Sector at a Technological Crossroads The insurance industry, a bedrock of global economic stability, is grappling with staggering inefficiency costs—billions of dollars lost annually to manual processes and outdated systems, pushing the sector to a critical juncture. As digital transformation sweeps across industries, insurers face a pressing challenge: how to leverage artificial intelligence (AI) to streamline

Hyperscale Data Centers – Review

The digital world is expanding at an unprecedented pace, with global data creation expected to reach staggering volumes in the coming years, driven by cloud computing, artificial intelligence, and the Internet of Things (IoT). Hyperscale data centers stand at the forefront of this revolution, serving as the critical infrastructure that powers the modern internet and enterprise ecosystems. These colossal facilities

Who Are the Top 10 Insurance Software Development Firms?

Navigating the Digital Shift in Insurance Technology The insurance industry stands at a transformative crossroads, where technology dictates competitive advantage and operational survival in an increasingly digital world. With the global insurance software market valued at a robust $14.14 billion, the surge in demand for innovative, compliant, and user-centric solutions has never been more evident. This analysis delves into the