Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
In early August 2023, the latest joint advisory on persistent vulnerabilities was issued by the intelligence and security agencies of the “Five-eyes” community.
These joint advisories are becoming more common. Perhaps recognising the growing importance of shared security information and the common nature of many of the threats faced – the weight they carry makes them hard to ignore. Doing so could be careless, and certainly ill-advised.
In this blog, we aim to outline the findings and advice contained in this recent advisory. But the summary is: Patch your systems.
Research into breaches in 2022 found that two-year-old vulnerabilities are commonly still being exploited, to attack enterprises. Those responsible for cyber security oversight need to understand the weight of the advice and the exposure these vulnerabilities present to their organisation.
In the face of rising cyber threats to all organisations, but especially for critical infrastructure providers whose resilience directly affects the national well-being, it’s hardly surprising that these international agencies have joined forces to share their intelligence. With similar operating models of many of our common adversaries, the global nature of business and its interconnected supply chains, it is entirely likely that this cooperation between agencies will increase.
At first sight, the information contained in this advisory looks to be “old news”. For breaches that occurred in 2022, it was found that the vulnerabilities used in those attacks had been in the wild long before 2022, yet for many organisations, they remained unmitigated threats.
Many of the successful attacks were not dominated by new 2022-vintage vulnerabilities but rather by these old vulnerabilities, whose mitigations strategies are well publicised, and for which patches exist. And yet they continue to pose problems for businesses, even today.
The implications are clear. New vulnerabilities are a concern, but the bigger problem for many organisations is the older vulnerabilities that persist, unpatched. Patching against today’s vulnerabilities, is important; but a backlog of unresolved vulnerabilities that can impact your resilience is like having an unexploded ordinance in your backyard.
The challenge with vulnerabilities (new or old) is identifying and then patching your systems. It’s a process thing; the technology already exists. The patches for these identified vulnerabilities are available, but they need to be more widely deployed. Patching, means an attacker has to immediately find another unprotected access point or, better still, find another target altogether.
Importantly, the advisory highlights that attackers typically seek to exploit the most common and easily exploited vulnerabilities first. So leaving the vulnerabilities specifically identified in the advisory increases the likelihood of a successful attack. So, a failure to act leaves you vulnerable to anyone just looking for any opening in any business. What more do you need to know?
The findings reveal that the top 12 vulnerabilities (Table 1 in the advisory) include several from 2021 and one from 2018. The additional table of routinely exploited vulnerabilities (Table 2) contains two from 2017, three from 2019, four from 2020 and eleven from 2021.
Imagine the reputational damage to you and your organisation if you are successfully attacked via a vulnerability that had been left unpatched for a number of years. What would it say about your cyber governance if, like apparently many organisations, you are still exposed today?
For board directors and the C-suite – those who own risk or have fiduciary responsibilities for it – this research is undoubtedly a wake-up call. Board members have a responsibility for the oversight of risks that might impact the business and so knowing the nature and extent of that risk is an important step in its successful management.
This list of cyber security vulnerabilities in this latest advisory, and the fact that their exploit codes still exist in the wild, should be all the warning you need! Given the findings, it’s hard to argue that organisations and boards are doing enough to manage their cyber risks. In fact, it brings into question the quality of information they use to inform decision making – including security strategies, regulatory disclosure and stakeholder reporting.
The opportunity for directors and senior executives to use this joint advisory to eliminate these security vulnerabilities and improve their cyber security resilience, is one that should not be missed.
Effective patching and efficient vulnerability management processes are the first part of the solution. Being able to report on this to validate their effectiveness, coverage and maturity is the second part.
Getting this right means that attacks like those in the advisory, that are mounted against the organisation, are less likely to be successful. It also means leaving persistent vulnerabilities unresolved, having now been advised of their associated risk, is like “leaving it to chance” even when you’ve got very short odds.
The best course of action is to look at the class of controls; not just the particular vulnerability. There are a set of common controls you should consider, but for now review the process by which patches are identified, prioritised and applied to your environment. This is what needs to be directed, understood and overseen by the board as part of a broader cyber governance programme. Clear and timely reporting on the ongoing relative effectiveness of the operation of each control must follow.
It turns out that cyber security control measurement and resilience reporting is much more than just a means of finding gaps or vulnerabilities to be addressed. It’s a systematic and structured way to monitor and manage cyber security risk – from vulnerability identification to resolution – and an indispensable part of cyber resilience management and corporate governance process.
The advisory findings suggest that there is clearly some way to go for many organisations to improve their cyber resilience. And for risk owners, they need to ensure that they have clear visibility of their IT assets and the controls that protect them, to upgrade their risk management practices.
The call to action is clear:
 CISA/NSA (US), NCSC (UK), ACSC (Australia), CCCS (Canada) and CERT-NZ (New Zealand)
Huntsman Security solutions are helping organisations to gain clear visibility of their vulnerabilities and security control effectiveness; and uncovering gaps in their controls. To find out more about what executives and directors can expect from a robust cyber security control management solution, explore our Essential 8 Auditor and SmartCheck applications, or request a call-back from our team.
As cyber risks increase, organisations are encountering the longer life cycle of insurance renewals and the need to demonstrate better management of security controls and their effectiveness.Read more
Highlights and insights from the recent Managed Services Summit in London & the ISACA Central Chapter Conference on Digital Trust, in Birmingham, UK. With two recent conferences in the space of three days, some interesting challenges were very evident in the topics discussed. Being very different events, the challenges were quite different, but interestingly they […]Read more
The quality of your risk assessment and the security information it provides is important; if you plan to use it to actively manage your operational and cyber resilience activities. Organisations are constantly exposed to a rapidly changing threat environment, so you really need a similarly rapid evidence-based feedback system that informs you of the ongoing […]Read more
The UK market has its own regulators, security standards and challenges. And while rulings from SEC in the US or the Australian Prudential Regulation Authority (APRA) in Australia don’t apply to UK companies, for the most part, the observations are undoubtedly relevant and the resulting advice instructive. It would be wrong to think UK financial […]Read more
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
It took a “tripartite cyber assessment” by the Australian Prudential Regulation Authority (APRA) to identify that a sample of financial organisations had inadequate cyber security: poor security control management, a lack of business recovery planning and inadequate 3rd party risk assessment. Why were there gaps? Where is the failure? Clearly the common practice of unsubstantiated […]Read more
The discussion over data-driven vs qualitative cyber security assessment has been going for some time. Nowadays, it is at the top of the priority list for many security and senior executive teams. Managing cyber security has always been a noble ambition but without reliable measurement, the lack of actionable information makes evidence-based management decisions almost […]Read more
Attack Surface Management (ASM) characterises a business’s security risks as the monitoring and risk mitigation of a constantly changing and vulnerable “risk-surface”. Importantly, this attack surface extends to both internal and external assets and services. Some ASM solutions deliver clear visibility across both Internet facing and internal assets. Others do not. Instead, they assess external […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.