Vector
Vector

Choose your topics

Blogs
The GRC Trends to Look Out for in 2024

Our GRC experts at SureCloud share their 2024 predictions for the world of governance, risk and compliance.

GRC
Blogs
The Top 5 Challenges of Third-Party Risk Management

With the supply chain now seen as a legitimate attack path, what can your organization do? Let’s explore 5 challenges of TPRM and how to overcome them.

Third-Party Risk Management GRC
Blogs
What is Third-Party Risk Management?

What is third-party risk management and how should you approach it? Find out in this post.

Third-Party Risk Management GRC
Blogs
The Top 4 Challenges of Risk Management

What are the top four challenges of risk management today and how can you overcome them? Find out in this post from SureCloud.

Third-Party Risk Management GRC
Blogs
Transform Compliance into Your Competitive Advantage

In GRC, compliance is often viewed as a cost that makes it harder to pursue growth. Here's how to make it your competitive advantage.

Compliance Management GRC
Blogs
Questions You Should Ask when Preparing For Your First Pen Test

Understand the processes that you and your chosen pentest provider will travel through for your first pen test, from the initial point to the day the test starts.

Penetration Testing
Blogs
TPRM Blog 6-Writing Clear Questions

Our GRC Practice Director explores the importance of clear communication and how to achieve it in your third party questionnaires. Read more here.

Third-Party Risk Management GRC
Blogs
The Simple Way to Combat Phishing

SureCloud Cybersecurity Practice Director Luke Potter shares his tip to stay ahead of attackers phishing for your downfall.

Penetration Testing
Blogs
See Yourself in Cyber With Janhavi Deshpande

See Yourself in Cyber With Janhavi Deshpande - SureCloud

Cyber Security
Vector (7)
Vector-1
Vulnerability Management, GRC

Successful Vulnerability Management: The Must-Know Vulnerabilities Your Business Needs to Fix

Successful Vulnerability Management: The Must-Know Vulnerabilities Your Business Needs to Fix
Written by

Hugh Raynor,

Published on

22 Nov 2022

Successful Vulnerability Management: The Must-Know Vulnerabilities Your Business Needs to Fix

 

The Cybersecurity and Infrastructure Security Agency (CISA) in the US recently released its annual top routinely exploited vulnerabilities report. It is co-authored by a number of cybersecurity authorities worldwide and aims to summarize the vulnerabilities having the biggest impact on organizations. 

 

What is a vulnerability?

A vulnerability is essentially a weakness in an IT system that a threat actor can exploit to launch a cyberattack. Understanding what vulnerabilities are out there, and managing them, is an important part of any cybersecurity strategy, but one that can also be hard to keep on top of. Let’s take a closer look at the CISA report and find out what the most exploited vulnerabilities are and what you can do to steer your security program in the right direction, with or without the help of IT risk management software.

 

Top three most exploited vulnerabilities 

1. Log4Shell: This vulnerability is found in a popular java application that enables attackers to take control of a victim’s device. Despite how infamous it is, over 68,000 servers are still publicly exposed, with appropriate patching not being completed. Read about our Log4Shell pentest for more information.

 

2. ProxyLogon: This allows cybercriminals to access private information stored in files and mailboxes on Microsoft Exchange as well as any confidential login details saved on the hard drive.

 

3. ProxyShell: Also affecting Microsoft Exchange email servers, but in this case, the vulnerability allows an attacker to execute arbitrary code that could give a cybercriminal a higher set of privileges, gaining them access to sensitive data. 

 

How are these vulnerabilities still able to make an impact? 

It’s important to note that these top three vulnerabilities, and indeed the majority of the list identified by CISA, are not new. Fixes exist for them, so why do they remain majorly exploited? Well, there can be a few different reasons a company might not patch immediately.  

 

We often see huge timelines between patches being released and installed when businesses have poor inventory and asset management. As a result, companies might not even be aware that a device or system exists in their infrastructure with that vulnerability. 

 

In other cases, there could be mission-critical machinery that can only run on legacy software. Take the healthcare sector, for example. Hospitals may have MRI scanners that can only run on Windows XP. This means patching is not always possible, so it’s important to reduce the time that a device like this spends networked. 

 

In addition to targeting vulnerabilities in email servers, the CISA report also mentions how cybercriminals target other internet-facing systems, such as virtual private networks (VPNs). Since the move to remote and hybrid working, VPNs are increasingly relied on. 

 

While having a ‘work from anywhere’ mentality is great for flexibility, remote access solutions, unfortunately, make a perfect entry point for an attacker, allowing them to logically position their device within that network. As a result, businesses must deploy thorough security measures, such as pushing VPN client software to end users or using full disk encryption technology to keep the infrastructure secure.

 

How to manage vulnerabilities more effectively

With new vulnerabilities being discovered every day and old ones still needing to be patched, vulnerability management has never been more important. The best policies are a combination of automated technologies and effective team communication. While IT risk management software can help with this, procedures need to be in place to supplement technological capabilities.

 

So, what steps can businesses take?

 

  • Regular cyber hygiene assessments: Keep it simple. Consistently practicing basic cyber hygiene and regularly reviewing vulnerabilities can make a real impact on a business’s overall security strategy. This includes keeping on top of patches, frequently reviewing the technical estate, or even looking to invest in tools such as vulnerability software for continuous screening capabilities. 

 

  • Asset management: When taking stock of possible at-risk endpoints, companies shouldn’t just review well-documented machines. The problem is often legacy hardware that has been long forgotten. Instead, the company should assess its entire infrastructure to properly identify areas for improvement. From there, they need to evaluate the impact each device would have if it were compromised and then categorically work to minimize the risk. 

 

  • Engage your senior leadership team: Many reports discuss how password and basic cyber hygiene are commonly quite poor among executives and CEOs. This is problematic because the higher up in an organization someone is, the more sensitive the material they have access to. To remedy this, companies need to create tailored training sessions that inform senior figures on what their specific attack path is and how they can actively protect themselves.

 

  • Threat modeling: This will provide higher levels of visibility and allow organizations to see what an attacker sees. With this insight, organizations can build on this and deploy controls defensively along that attack path, creating in-depth layered defence models. 

 

  • Create canary accounts: Companies should create canary accounts to put account credentials in files or in databases that are specifically set up to never be used. This will offer higher visibility and allow businesses to conduct a single form of monitoring. 

 

  • Air gapping: Another exercise businesses can leverage is having file backups on a completely isolated device that cannot establish an external connection, a technique known as air gapping. This means that if a business does fall victim to an attack, hackers can’t gain access to its backup data since it is in no way connected to the main network. This will put the company in a much stronger position during the recovery window.  

 

SureCloud’s Cyber Risk Management Capability can help you to build a clear view of vulnerabilities and the business-critical applications they impact while looking at the steps needed to mitigate any damage. We offer a combination of IT risk management software to bolster your cybersecurity, as well as expert cyber services and vulnerability assessments.

 

Find out more about the top exploited vulnerabilities in CISA’s report and what you can do about them in this episode of our Cyber Threat Briefing, available on our Capability-Centric GRC & Cyber Security Podcast.