The Cybersecurity and Infrastructure Security Agency (CISA) in the US recently released its annual top routinely exploited vulnerabilities report. It is co-authored by a number of cybersecurity authorities worldwide and aims to summarize the vulnerabilities having the biggest impact on organizations.
What is a vulnerability?
A vulnerability is essentially a weakness in an IT system that a threat actor can exploit to launch a cyberattack. Understanding what vulnerabilities are out there, and managing them, is an important part of any cybersecurity strategy, but one that can also be hard to keep on top of. Let’s take a closer look at the CISA report and find out what the most exploited vulnerabilities are and what you can do to steer your security program in the right direction, with or without the help of IT risk management software.
Top three most exploited vulnerabilities
1. Log4Shell: This vulnerability is found in a popular java application that enables attackers to take control of a victim’s device. Despite how infamous it is, over 68,000 servers are still publicly exposed, with appropriate patching not being completed. Read about our Log4Shell pentest for more information.
2. ProxyLogon: This allows cybercriminals to access private information stored in files and mailboxes on Microsoft Exchange as well as any confidential login details saved on the hard drive.
3. ProxyShell: Also affecting Microsoft Exchange email servers, but in this case, the vulnerability allows an attacker to execute arbitrary code that could give a cybercriminal a higher set of privileges, gaining them access to sensitive data.
How are these vulnerabilities still able to make an impact?
It’s important to note that these top three vulnerabilities, and indeed the majority of the list identified by CISA, are not new. Fixes exist for them, so why do they remain majorly exploited? Well, there can be a few different reasons a company might not patch immediately.
We often see huge timelines between patches being released and installed when businesses have poor inventory and asset management. As a result, companies might not even be aware that a device or system exists in their infrastructure with that vulnerability.
In other cases, there could be mission-critical machinery that can only run on legacy software. Take the healthcare sector, for example. Hospitals may have MRI scanners that can only run on Windows XP. This means patching is not always possible, so it’s important to reduce the time that a device like this spends networked.
In addition to targeting vulnerabilities in email servers, the CISA report also mentions how cybercriminals target other internet-facing systems, such as virtual private networks (VPNs). Since the move to remote and hybrid working, VPNs are increasingly relied on.
While having a ‘work from anywhere’ mentality is great for flexibility, remote access solutions, unfortunately, make a perfect entry point for an attacker, allowing them to logically position their device within that network. As a result, businesses must deploy thorough security measures, such as pushing VPN client software to end users or using full disk encryption technology to keep the infrastructure secure.
How to manage vulnerabilities more effectively
With new vulnerabilities being discovered every day and old ones still needing to be patched, vulnerability management has never been more important. The best policies are a combination of automated technologies and effective team communication. While IT risk management software can help with this, procedures need to be in place to supplement technological capabilities.
So, what steps can businesses take?
- Regular cyber hygiene assessments: Keep it simple. Consistently practicing basic cyber hygiene and regularly reviewing vulnerabilities can make a real impact on a business’s overall security strategy. This includes keeping on top of patches, frequently reviewing the technical estate, or even looking to invest in tools such as vulnerability software for continuous screening capabilities.
- Asset management: When taking stock of possible at-risk endpoints, companies shouldn’t just review well-documented machines. The problem is often legacy hardware that has been long forgotten. Instead, the company should assess its entire infrastructure to properly identify areas for improvement. From there, they need to evaluate the impact each device would have if it were compromised and then categorically work to minimize the risk.
- Engage your senior leadership team: Many reports discuss how password and basic cyber hygiene are commonly quite poor among executives and CEOs. This is problematic because the higher up in an organization someone is, the more sensitive the material they have access to. To remedy this, companies need to create tailored training sessions that inform senior figures on what their specific attack path is and how they can actively protect themselves.
- Threat modeling: This will provide higher levels of visibility and allow organizations to see what an attacker sees. With this insight, organizations can build on this and deploy controls defensively along that attack path, creating in-depth layered defence models.
- Create canary accounts: Companies should create canary accounts to put account credentials in files or in databases that are specifically set up to never be used. This will offer higher visibility and allow businesses to conduct a single form of monitoring.
- Air gapping: Another exercise businesses can leverage is having file backups on a completely isolated device that cannot establish an external connection, a technique known as air gapping. This means that if a business does fall victim to an attack, hackers can’t gain access to its backup data since it is in no way connected to the main network. This will put the company in a much stronger position during the recovery window.
SureCloud’s Cyber Risk Management Capability can help you to build a clear view of vulnerabilities and the business-critical applications they impact while looking at the steps needed to mitigate any damage. We offer a combination of IT risk management software to bolster your cybersecurity, as well as expert cyber services and vulnerability assessments.
Find out more about the top exploited vulnerabilities in CISA’s report and what you can do about them in this episode of our Cyber Threat Briefing, available on our Capability-Centric GRC & Cyber Security Podcast.