Common Cybersecurity Vulnerabilities and Exposures to Pay Attention to in 2021

The SolarWinds supply chain attack discovered in late 2020 was a wakeup call for security managers across all industries. The hack is shaping up to be one of the most impactful attacks against a critical supply chain partner in history.

It’s no surprise then that security and risk leaders are taking a closer look at hidden cyber security threats and vulnerabilities – both within their own organizations and across their vendor and partner ecosystems – and focusing more than ever on mitigating risk exposure. In the days following the SolarWinds hack, Bitsight observed that 71% of organizations with publicly exposed, trojanized versions of the SolarWinds Orion platform acted to patch or remove those instances from their network. 

Despite this quick remediation, the breach remains a concerning example of just how vulnerable organizations are to malicious activity in today’s ever-evolving risk landscape.

Major cyber events like the SolarWinds supply chain attack put renewed focus on the importance of robust cybersecurity programs. These hacks shouldn’t distract security leaders from paying attention to common vulnerabilities and exposures (CVEs) in their digital ecosystem, because these more common vulnerabilities can open doors to hackers wanting to hide on their network long-term.

Below we look at the scope and complexity of CVEs and recommend actions security leaders can take to better understand where risk lies in their digital ecosystems.

Common vulnerabilities and exposures: understanding the difference

First, let’s break down the basics and explore the difference between a vulnerability and an exposure.

A vulnerability is defined as a weakness that can potentially be exploited by an attacker to perform unauthorized actions within a network. Common vulnerabilities include:

• Open ports 
• Unpatched systems
• Phishing
• Lack of two-factor authentication. 

Last year’s Oracle BlueKai database hack is an example of what happens when a vulnerability – in this case an unsecured server – is exploited.

An exposure is a mistake, such as a misconfigured system or software, that can be exploited by hackers and give them direct control over a system or network. The Capital One data breach is perhaps the most well-known instance of a hacker exploiting a misconfigured web application firewall to gain access to the personally identifiable information of 100 million customers.

Not all vulnerabilities and exposures are created equal

Not all vulnerabilities or exposures pose a security risk. If the vulnerability is on a low-risk asset it is much less likely to pose a significant risk.

Risk is also dependent on how long a common vulnerability or exposure has existed. A security gap which has been identified and quickly addressed poses much less risk than one that goes undetected for days, weeks, or even months.

These factors underscore the need for security leaders to have visibility into their attack surface and the corresponding cyber risk associated with each asset. After all, you can’t secure what you can’t see. With that insight they can prioritize resources and remediation on areas that pose disproportionate risk. They must also continuously assess their cybersecurity posture for new CVEs and identify areas of unknown risk – in the cloud, on-premise, and across their remote workforce, geographies, and subsidiaries.

Vulnerabilities and exposures extend  to an organization's third parties

CVEs can be far-reaching, extending beyond the organization to third and fourth parties. To mitigate these security gaps, security teams need continuous visibility into this extended risk landscape. Annual audits or assessments only provide a point-in-time view of cyber risk. To prevent a supply chain attack like the SolarWinds hack, organizations must continually monitor third-party risk for the lifecycle of their vendor and partner relationships.

Common vulnerabilities and exposures to keep an eye on

New vulnerabilities and exposures are constantly emerging. Fortunately the National Security Agency (NSA) issues frequent cybersecurity advisories listing CVEs known to be recently leveraged or scanned-for by cyber actors.

A recent advisory warns of potential exploits against a vulnerability in VMware Access and VMware Manager products by Russian state-sponsored cyber actors and recommends mitigation actions. Another points to a list of CVEs actively used by Chinese state-sponsored actors, many of which target remote access or external web services from manufacturers including Citrix, F5, MobileIron, Windows Domain Name System servers, Oracle WebLogic, and more. 

Another useful resource is the CVE website. Run by The MITRE Corporation and co-sponsored by the U.S. Department of Homeland Security, the site catalogs publicly known cybersecurity vulnerabilities and is updated regularly. Follow their Twitter feed to stay on top of CVE alerts.

What to learn more about common vulnerabilities and exposures?

Be sure to read our breakdown of common vulnerabilities associated with remote access, a hot topic right now. We’ve also published our read-out of the NSA’s top vulnerabilities and why organizations are underperforming when it comes to managing them.