On May 12, the U.S. Department of Homeland Security Cybersecurity Infrastructure Security Agency (CISA) and the Federal Bureau of Investigations (FBI) released a joint alert on the top 10 routinely exploited vulnerabilities. Below is a summary of the alert, including a review of the identified cyber vulnerabilities and the effect of patching on cybersecurity.
Why are these vulnerabilities significant?
CISA and the FBI issued the alert in order to provide technical and mitigation guidance on the most Common Vulnerabilities and Exposures (CVEs) exploited by foreign cyber actors. According to the alert, “Foreign cyber actors continue to exploit publicly known—and often dated—software vulnerabilities against broad target sets, including public and private sector organizations. Exploitation of these vulnerabilities often requires fewer resources as compared with zero-day exploits for which no patches are available.” Fewer resources mean minimal effort and easy targets for cybercriminals. And without a doubt, some organizations make it even easier by relying on outdated software and hardware. Some healthcare organizations, for example, still use Windows 7, which Microsoft ended support for in January 2020.
RELATED: Smart Device Security Needs Higher Priority in Healthcare Unfortunately, CISA’s top 10 list indicates that most organizations do not install the necessary patches to protect their devices and their systems.
2016–2019 routinely exploited vulnerabilities
The 2016–2019 top 10 routinely exploited vulnerabilities are CVE-2017-11882, CVE-2017-0199, CVE-2017-5638, CVE-2012-0158, CVE-2019-0604, CVE-2017-0143, CVE-2018-4878, CVE-2017-8759, CVE-2015-1641, and CVE-2018-7600. The provided CVE links are from the National Vulnerability Database. Of the 10, seven relate to Microsoft products (i.e., Office, Windows, SharePoint, and .NET Framework). According to CISA, the targeting of Microsoft products is likely due to their widespread use. Problems with Microsoft’s Object Linking and Embedding technology—CVE-2017-11882, CVE-2017-0199, and CVE-2012-0158—are the most exploited by foreign actors from China, North Korea, Iran, and Russia. CVE-2012-0158 is worrisome as officials discovered and patched the problem in 2012, and reassessed it in 2015; Chinese cyber actors were still using it as of December 2019. The second most reported vulnerable technology is a widespread Web framework known as Apache Struts (CVE-2017-5638). And the final two vulnerabilities are associated with Drupal (CVE-2018-7600) and Adobe Flash Player (CVE-2018-4878) products.
2020 most exploited vulnerabilities
The alert further included three vulnerabilities exasperated by the pandemic and social distancing. 1) Virtual Private Network vulnerabilities ( CVE-2019-19781 and CVE-2019-11510) 2) Microsoft Office 365 cloud problems from increased, unprotected remote working 3) General cybersecurity weaknesses (e.g., lack of training, audits/assessments, and contingency plans). Unfortunately, some cybercriminals are using the pandemic to take advantage of weak cybersecurity while others maliciously target significant industries, such as healthcare, for intelligence on behalf of foreign states. All of this points to the need to prioritize patching.
The need for patching
IT professionals should concentrate on patching to make cyberattacks more difficult, time-consuming, and costly for foreign actors. Ultimately, a patching campaign would bolster cybersecurity defenses. But while patching can be a simple method of protection, the costs sometimes outweigh the advantages.
RELATED: HSCC Requests to Include Patching in Allowable Stark Law Donations “Deploying patches,” officials state, “often requires IT security professionals to balance the need to mitigate vulnerabilities with the need for keeping systems running and ensuring installed patches are compatible with other software.” Nevertheless, IT professionals should build patching into an organization’s cybersecurity program from the beginning, along with strong defenses and employee training.
RELATED: HIPAA Compliant Email: The Definitive Guide Patching is sometimes considered a “significant investment of effort,” but in the long run, the cost of mitigating a breach may ultimately be higher.