Operational resilience

August 2, 2021

Another sort of health warning

A significant cost of the last 18 months of turmoil for many organisations is revealed in a joint cyber security advisory published this week. Organisations everywhere have been challenged by cyber adversaries and their ongoing exploitation of a number of “reliable go to” security vulnerabilities. The rapid shift to remote working for many of us has challenged the ability of cyber professionals everywhere to maintain their defensive efforts; and those chickens are coming home to roost.

In the joint advisory, Cybersecurity and Infrastructure Security Agency (CISA) and FBI in the US, Australian Cyber Security Centre (ACSC) in Australia and National Cyber Security Centre (NCSC) in the UK have shed some light on how the criminal fraternity is adapting and using many of the core IT systems we have been increasingly reliant on, to further its own goals.

In a list of known information security vulnerabilities, identifiable by their Common Vulnerabilities and Exposures (CVEs), the advisory lists the top 30 vulnerabilities that are longstanding and were routinely exploited by malicious cyber actors in 2020. With some new additions to the list, those same vulnerabilities continue to be widely exploited into 2021.

Another impact of COVID-19

In a sign of the times, the joint alert (AA21-209A) acknowledged that remote access to systems and data, so prevalent during the COVID-19 pandemic, was:

(a) a common target for attackers, and

(b) more vital than ever to businesses working remotely.

The advisory noted that:

“Four of the most targeted vulnerabilities in 2020 affected remote work, VPNs, or cloud-based technologies.”

Disappointingly, the advisory notes that with increased remote working, many already disclosed vulnerabilities continue to be used by adversaries to compromise unpatched systems.

“Many VPN gateway devices remained unpatched during 2020, with the growth of remote work options challenging the ability of organizations to conduct rigorous patch management.”

The routinely exploited vulnerabilities in 2020

So, what did the attack surface popularity contest look like in 2020?  The table below lists the CVE references and affected products in the advisory.

Vendor CVE Type
Citrix CVE-2019-19781 arbitrary code execution
Pulse CVE 2019-11510 arbitrary file reading
Fortinet CVE 2018-13379 path traversal
F5- Big IP CVE 2020-5902 remote code execution (RCE)
MobileIron CVE 2020-15505 RCE
Microsoft CVE-2017-11882 RCE
Atlassian CVE-2019-11580 RCE
Drupal CVE-2018-7600 RCE
Telerik CVE 2019-18935 RCE
Microsoft CVE-2019-0604 RCE
Microsoft CVE-2020-0787 elevation of privilege
Netlogon CVE-2020-1472 elevation of privilege


The list of remediations provides sobering reading, not least because of the number of times the mitigation strategy advises: “deploy and install a patch” or “upgrade to the latest version”.

Go hard and go early

The importance of mitigating such vulnerabilities promptly, is compounded in the discussion about a common VPN vulnerability:

“The CVE-2019-11510 vulnerability in Pulse Connect Secure VPN was also frequently targeted by nation-state APTs. Actors can exploit the vulnerability to steal the unencrypted credentials for all users on a compromised Pulse VPN server and retain unauthorized credentials for all users on a compromised Pulse VPN server and can retain unauthorize access after the system is patched unless all compromised credentials are changed.”

So, if an unpatched system is compromised, the attackers can get all the usernames/passwords; and so even if the system is subsequently patched, these credentials will still work and the attacker has access long after the patch is applied. Unless the organisation also changes all user access passwords the system will remain compromised. This is potentially a huge task – brought on purely by a delay in the rollout of the patch as soon as it is available.

Are your security controls effective?

Clearly, keeping up to date with software vulnerabilities has never been more important.  The obvious questions when faced with the established knowledge that known, published vulnerabilities continue be exploited, are: Why aren’t these holes being fixed faster? Why are operations teams, IT security teams, IT admins leaving themselves in this position? The implications for the business can be massive; so, who needs to take action within your organisation?

In light of these revelations, are senior managers and directors sufficiently aware of the state of their security defences and the levels of protection they have from attack?

The 2021 list

For 2021, the advisory reiterates the 2020 list and adds several additional CVE references.

Cyber actors continued to target vulnerabilities in perimeter-type devices such as Firewalls, VPNs and others. In addition to the 2020 list, organisations should prioritise patching for the following CVEs that are known to have been exploited:

  • Microsoft Exchange: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065
  • Pulse Secure: CVE-2021-22893, CVE-2021-22894, CVE-2021-22899, and CVE-2021-22900
  • Accellion: CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104
  • VMware: CVE-2021-21985
  • Fortinet: CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591

Once again, at the risk of repeating themselves, the alert advises security teams to download and apply the patches, upgrade affected versions and check configurations.

Update your approach

There is a clear and recurring message here for both public and private enterprise, and it’s one the security agencies clearly want to emphasise. Organisations are continuing to leave themselves vulnerable to attack; and some exploits are so frequent, and successful, that authorities have published a “leagues table”.

The advisory published today puts the power in every organisation’s hand to fix the most common vulnerabilities, such as unpatched VPN gateway devices,” remarked Paul Chichester from the UK NCSC.

Patching to stay on top of vulnerabilities is hard.  No question.  Some systems can be managed by central software management, but others can’t.  There are always challenges finding time to patch and reboot systems, particularly those that operate 24-hours a day. With so many technologies and so many patches the work may feel never ending but, as this advisory highlights, the cost of not staying on top of your patching controls can seriously impact your operations.

You need clear visibility and understanding of your cyber security controls

The resultant risks to the business from these sorts of vulnerabilities are becoming so significant and the operational implications so great that senior executives and directors, responsible for the overall management of the business, urgently need better risk information. They need visibility of the state of their security controls and measures of any risk resulting from any vulnerabilities.

With objective measurement of the size of these risks, those responsible for their effective management can quickly get an understanding of the nature of their exposure and so execute effective mitigation strategies. This of course is not the sole responsibility of the senior executive or director, however, as the accountable party, they can insist on clear oversight of their cyber risk environment.  From SOC and IT teams up to Executives and Boards, there is an imperative to invest in technologies that provide clear visibility and accurate measurement of where patches are missing, or other unmitigated vulnerabilities exist so they can manage cyber risk just like any other risk faced by their organisation.

A Guide to Cyber Security KPIs


Related Cybersecurity Content


Read by directors, executives, and security professionals globally, operating in the most complex of security environments.