In early August 2023, the latest joint advisory on persistent vulnerabilities was issued by the intelligence and security agencies[1] of the “Five-eyes” community.
These joint advisories are becoming more common. Perhaps recognising the growing importance of shared security information and the common nature of many of the threats faced – the weight they carry makes them hard to ignore. Doing so could be careless, and certainly ill-advised.
In this blog, we aim to outline the findings and advice contained in this recent advisory. But the summary is: Patch your systems.
Research into breaches in 2022 found that two-year-old vulnerabilities are commonly still being exploited, to attack enterprises. Those responsible for cyber security oversight need to understand the weight of the advice and the exposure these vulnerabilities present to their organisation.
The advisory can be found here, and news coverage is also available here.
The background to the joint advisory
In the face of rising cyber threats to all organisations, but especially for critical infrastructure providers whose resilience directly affects the national well-being, it’s hardly surprising that these international agencies have joined forces to share their intelligence. With similar operating models of many of our common adversaries, the global nature of business and its interconnected supply chains, it is entirely likely that this cooperation between agencies will increase.
At first sight, the information contained in this advisory looks to be “old news”. For breaches that occurred in 2022, it was found that the vulnerabilities used in those attacks had been in the wild long before 2022, yet for many organisations, they remained unmitigated threats.
Many of the successful attacks were not dominated by new 2022-vintage vulnerabilities but rather by these old vulnerabilities, whose mitigations strategies are well publicised, and for which patches exist. And yet they continue to pose problems for businesses, even today.
Implications for organisations
The implications are clear. New vulnerabilities are a concern, but the bigger problem for many organisations is the older vulnerabilities that persist, unpatched. Patching against today’s vulnerabilities, is important; but a backlog of unresolved vulnerabilities that can impact your resilience is like having an unexploded ordinance in your backyard.
The challenge with vulnerabilities (new or old) is identifying and then patching your systems. It’s a process thing; the technology already exists. The patches for these identified vulnerabilities are available, but they need to be more widely deployed. Patching, means an attacker has to immediately find another unprotected access point or, better still, find another target altogether.
Importantly, the advisory highlights that attackers typically seek to exploit the most common and easily exploited vulnerabilities first. So leaving the vulnerabilities specifically identified in the advisory increases the likelihood of a successful attack. So, a failure to act leaves you vulnerable to anyone just looking for any opening in any business. What more do you need to know?
The findings reveal that the top 12 vulnerabilities (Table 1 in the advisory) include several from 2021 and one from 2018. The additional table of routinely exploited vulnerabilities (Table 2) contains two from 2017, three from 2019, four from 2020 and eleven from 2021.
Imagine the reputational damage to you and your organisation if you are successfully attacked via a vulnerability that had been left unpatched for a number of years. What would it say about your cyber governance if, like apparently many organisations, you are still exposed today?
Implications for senior managers and directors
For board directors and the C-suite – those who own risk or have fiduciary responsibilities for it – this research is undoubtedly a wake-up call. Board members have a responsibility for the oversight of risks that might impact the business and so knowing the nature and extent of that risk is an important step in its successful management.
This list of cyber security vulnerabilities in this latest advisory, and the fact that their exploit codes still exist in the wild, should be all the warning you need! Given the findings, it’s hard to argue that organisations and boards are doing enough to manage their cyber risks. In fact, it brings into question the quality of information they use to inform decision making – including security strategies, regulatory disclosure and stakeholder reporting.
The opportunity for directors and senior executives to use this joint advisory to eliminate these security vulnerabilities and improve their cyber security resilience, is one that should not be missed.
Next steps
Effective patching and efficient vulnerability management processes are the first part of the solution. Being able to report on this to validate their effectiveness, coverage and maturity is the second part.
Getting this right means that attacks like those in the advisory, that are mounted against the organisation, are less likely to be successful. It also means leaving persistent vulnerabilities unresolved, having now been advised of their associated risk, is like “leaving it to chance” even when you’ve got very short odds.
Where to start
The best course of action is to look at the class of controls; not just the particular vulnerability. There are a set of common controls you should consider, but for now review the process by which patches are identified, prioritised and applied to your environment. This is what needs to be directed, understood and overseen by the board as part of a broader cyber governance programme. Clear and timely reporting on the ongoing relative effectiveness of the operation of each control must follow.
It turns out that cyber security control measurement and resilience reporting is much more than just a means of finding gaps or vulnerabilities to be addressed. It’s a systematic and structured way to monitor and manage cyber security risk – from vulnerability identification to resolution – and an indispensable part of cyber resilience management and corporate governance process.
Conclusion
The advisory findings suggest that there is clearly some way to go for many organisations to improve their cyber resilience. And for risk owners, they need to ensure that they have clear visibility of their IT assets and the controls that protect them, to upgrade their risk management practices.
The call to action is clear:
- Security vulnerabilities are lying hidden, like an unexploded ordinance, and their blast radius may include your organisation. So better cyber reporting is required to give board-level visibility of those vulnerabilities and the risk.
- This joint advisory provides prioritised actionable intelligence about where the business should focus – on critical assets and the vulnerabilities that are commonly being exploited to attack organisations.
- Auditing the environment for the presence of these specifically-mentioned and commonly-exploited vulnerabilities will quickly remove “low hanging fruit” and reduce the risk of an “easy” attack.
- Improving the cadence of your patching regime and ultimately all your security control audits, while easier said than done, will significantly improve your cyber resilience and reduce your risk of attack.
- Business leaders need to understand the status of their security controls and cyber resilience at all times. They must appreciate the implications of vulnerabilities for the business; so mitigation steps can be quickly taken to avoid a problem.
[1] CISA/NSA (US), NCSC (UK), ACSC (Australia), CCCS (Canada) and CERT-NZ (New Zealand)
Huntsman Security solutions are helping organisations to gain clear visibility of their vulnerabilities and security control effectiveness; and uncovering gaps in their controls. To find out more about what executives and directors can expect from a robust cyber security control management solution, explore our Essential 8 Auditor and SmartCheck applications, or request a call-back from our team.
Products
Solutions by Industry
Learning & Resources
About Huntsman
