Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
A significant cost of the last 18 months of turmoil for many organisations is revealed in a joint cyber security advisory published this week. Organisations everywhere have been challenged by cyber adversaries and their ongoing exploitation of a number of “reliable go to” security vulnerabilities. The rapid shift to remote working for many of us has challenged the ability of cyber professionals everywhere to maintain their defensive efforts; and those chickens are coming home to roost.
In the joint advisory, Cybersecurity and Infrastructure Security Agency (CISA) and FBI in the US, Australian Cyber Security Centre (ACSC) in Australia and National Cyber Security Centre (NCSC) in the UK have shed some light on how the criminal fraternity is adapting and using many of the core IT systems we have been increasingly reliant on, to further its own goals.
In a list of known information security vulnerabilities, identifiable by their Common Vulnerabilities and Exposures (CVEs), the advisory lists the top 30 vulnerabilities that are longstanding and were routinely exploited by malicious cyber actors in 2020. With some new additions to the list, those same vulnerabilities continue to be widely exploited into 2021.
In a sign of the times, the joint alert (AA21-209A) acknowledged that remote access to systems and data, so prevalent during the COVID-19 pandemic, was:
(a) a common target for attackers, and
(b) more vital than ever to businesses working remotely.
The advisory noted that:
“Four of the most targeted vulnerabilities in 2020 affected remote work, VPNs, or cloud-based technologies.”
Disappointingly, the advisory notes that with increased remote working, many already disclosed vulnerabilities continue to be used by adversaries to compromise unpatched systems.
“Many VPN gateway devices remained unpatched during 2020, with the growth of remote work options challenging the ability of organizations to conduct rigorous patch management.”
So, what did the attack surface popularity contest look like in 2020? The table below lists the CVE references and affected products in the advisory.
|Citrix||CVE-2019-19781||arbitrary code execution|
|Pulse||CVE 2019-11510||arbitrary file reading|
|Fortinet||CVE 2018-13379||path traversal|
|F5- Big IP||CVE 2020-5902||remote code execution (RCE)|
|Microsoft||CVE-2020-0787||elevation of privilege|
|Netlogon||CVE-2020-1472||elevation of privilege|
The list of remediations provides sobering reading, not least because of the number of times the mitigation strategy advises: “deploy and install a patch” or “upgrade to the latest version”.
The importance of mitigating such vulnerabilities promptly, is compounded in the discussion about a common VPN vulnerability:
“The CVE-2019-11510 vulnerability in Pulse Connect Secure VPN was also frequently targeted by nation-state APTs. Actors can exploit the vulnerability to steal the unencrypted credentials for all users on a compromised Pulse VPN server and retain unauthorized credentials for all users on a compromised Pulse VPN server and can retain unauthorize access after the system is patched unless all compromised credentials are changed.”
So, if an unpatched system is compromised, the attackers can get all the usernames/passwords; and so even if the system is subsequently patched, these credentials will still work and the attacker has access long after the patch is applied. Unless the organisation also changes all user access passwords the system will remain compromised. This is potentially a huge task – brought on purely by a delay in the rollout of the patch as soon as it is available.
Clearly, keeping up to date with software vulnerabilities has never been more important. The obvious questions when faced with the established knowledge that known, published vulnerabilities continue be exploited, are: Why aren’t these holes being fixed faster? Why are operations teams, IT security teams, IT admins leaving themselves in this position? The implications for the business can be massive; so, who needs to take action within your organisation?
In light of these revelations, are senior managers and directors sufficiently aware of the state of their security defences and the levels of protection they have from attack?
For 2021, the advisory reiterates the 2020 list and adds several additional CVE references.
Cyber actors continued to target vulnerabilities in perimeter-type devices such as Firewalls, VPNs and others. In addition to the 2020 list, organisations should prioritise patching for the following CVEs that are known to have been exploited:
Once again, at the risk of repeating themselves, the alert advises security teams to download and apply the patches, upgrade affected versions and check configurations.
There is a clear and recurring message here for both public and private enterprise, and it’s one the security agencies clearly want to emphasise. Organisations are continuing to leave themselves vulnerable to attack; and some exploits are so frequent, and successful, that authorities have published a “leagues table”.
“The advisory published today puts the power in every organisation’s hand to fix the most common vulnerabilities, such as unpatched VPN gateway devices,” remarked Paul Chichester from the UK NCSC.
Patching to stay on top of vulnerabilities is hard. No question. Some systems can be managed by central software management, but others can’t. There are always challenges finding time to patch and reboot systems, particularly those that operate 24-hours a day. With so many technologies and so many patches the work may feel never ending but, as this advisory highlights, the cost of not staying on top of your patching controls can seriously impact your operations.
The resultant risks to the business from these sorts of vulnerabilities are becoming so significant and the operational implications so great that senior executives and directors, responsible for the overall management of the business, urgently need better risk information. They need visibility of the state of their security controls and measures of any risk resulting from any vulnerabilities.
With objective measurement of the size of these risks, those responsible for their effective management can quickly get an understanding of the nature of their exposure and so execute effective mitigation strategies. This of course is not the sole responsibility of the senior executive or director, however, as the accountable party, they can insist on clear oversight of their cyber risk environment. From SOC and IT teams up to Executives and Boards, there is an imperative to invest in technologies that provide clear visibility and accurate measurement of where patches are missing, or other unmitigated vulnerabilities exist so they can manage cyber risk just like any other risk faced by their organisation.
As cyber risks increase, organisations are encountering the longer life cycle of insurance renewals and the need to demonstrate better management of security controls and their effectiveness.Read more
Highlights and insights from the recent Managed Services Summit in London & the ISACA Central Chapter Conference on Digital Trust, in Birmingham, UK. With two recent conferences in the space of three days, some interesting challenges were very evident in the topics discussed. Being very different events, the challenges were quite different, but interestingly they […]Read more
In early August 2023, the latest joint advisory on persistent vulnerabilities was issued by the intelligence and security agencies of the “Five-eyes” community. These joint advisories are becoming more common. Perhaps recognising the growing importance of shared security information and the common nature of many of the threats faced – the weight they carry makes […]Read more
The quality of your risk assessment and the security information it provides is important; if you plan to use it to actively manage your operational and cyber resilience activities. Organisations are constantly exposed to a rapidly changing threat environment, so you really need a similarly rapid evidence-based feedback system that informs you of the ongoing […]Read more
The UK market has its own regulators, security standards and challenges. And while rulings from SEC in the US or the Australian Prudential Regulation Authority (APRA) in Australia don’t apply to UK companies, for the most part, the observations are undoubtedly relevant and the resulting advice instructive. It would be wrong to think UK financial […]Read more
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
It took a “tripartite cyber assessment” by the Australian Prudential Regulation Authority (APRA) to identify that a sample of financial organisations had inadequate cyber security: poor security control management, a lack of business recovery planning and inadequate 3rd party risk assessment. Why were there gaps? Where is the failure? Clearly the common practice of unsubstantiated […]Read more
The discussion over data-driven vs qualitative cyber security assessment has been going for some time. Nowadays, it is at the top of the priority list for many security and senior executive teams. Managing cyber security has always been a noble ambition but without reliable measurement, the lack of actionable information makes evidence-based management decisions almost […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.