It’s no surprise then that security and risk leaders are taking a closer look at hidden threats – both within their own organizations and across their vendor and partner ecosystems – and focusing more than ever on mitigating risk exposure. In the days following the SolarWinds hack, BitSight observed that 71% of organizations with publicly exposed, trojanized versions of the SolarWinds Orion platform acted to patch or remove those instances from their network.
Despite this quick remediation, the breach remains a concerning example of just how vulnerable organizations are to malicious activity in today’s ever-evolving risk landscape.
Major cyber events like the SolarWinds supply chain attack put renewed focus on the importance of robust cybersecurity programs. These hacks shouldn’t distract security leaders from paying attention to common vulnerabilities and exposures (CVEs) in their digital ecosystem, because these more common vulnerabilities can open doors to hackers wanting to hide on their network long-term.
Below we look at the scope and complexity of CVEs and recommend actions security leaders can take to better understand where risk lies in their digital ecosystems.
First, let’s break down the basics and explore the difference between a vulnerability and an exposure.
A vulnerability is defined as a weakness that can potentially be exploited by an attacker to perform unauthorized actions within a network. Common vulnerabilities include:
Last year’s Oracle BlueKai database hack is an example of what happens when a vulnerability – in this case an unsecured server – is exploited.
An exposure is a mistake, such as a misconfigured system or software, that can be exploited by hackers and give them direct control over a system or network. The Capital One data breach is perhaps the most well-known instance of a hacker exploiting a misconfigured web application firewall to gain access to the personally identifiable information of 100 million customers.
Not all vulnerabilities or exposures pose a security risk. If the vulnerability is on a low-risk asset it is much less likely to pose a significant risk.
Risk is also dependent on how long a common vulnerability or exposure has existed. A security gap which has been identified and quickly addressed poses much less risk than one that goes undetected for days, weeks, or even months.
These factors underscore the need for security leaders to have visibility into their attack surface and the corresponding cyber risk associated with each asset. After all, you can’t secure what you can’t see. With that insight they can prioritize resources and remediation on areas that pose disproportionate risk. They must also continuously assess their cybersecurity posture for new CVEs and identify areas of unknown risk – in the cloud, on-premise, and across their remote workforce, geographies, and subsidiaries.
CVEs can be far-reaching, extending beyond the organization to third and fourth parties. To mitigate these security gaps, security teams need continuous visibility into this extended risk landscape. Annual audits or assessments only provide a point-in-time view of cyber risk. To prevent a supply chain attack like the SolarWinds hack, organizations must continually monitor third-party risk for the lifecycle of their vendor and partner relationships.
New vulnerabilities and exposures are constantly emerging. Fortunately the National Security Agency (NSA) issues frequent cybersecurity advisories listing CVEs known to be recently leveraged or scanned-for by cyber actors.
A recent advisory warns of potential exploits against a vulnerability in VMware Access and VMware Manager products by Russian state-sponsored cyber actors and recommends mitigation actions. Another points to a list of CVEs actively used by Chinese state-sponsored actors, many of which target remote access or external web services from manufacturers including Citrix, F5, MobileIron, Windows Domain Name System servers, Oracle WebLogic, and more.
Another useful resource is the CVE website. Run by The MITRE Corporation and co-sponsored by the U.S. Department of Homeland Security, the site catalogs publicly known cybersecurity vulnerabilities and is updated regularly. Follow their Twitter feed to stay on top of CVE alerts.
Be sure to read our breakdown of common vulnerabilities associated with remote access, a hot topic right now. We’ve also published our read-out of the NSA’s top vulnerabilities and why organizations are underperforming when it comes to managing them.
A couple of years ago, industry research firm Gartner introduced a new acronym—SOAR—into the cybersecurity nomenclature. SOAR stands for “security orchestration, automation, and response.” It’s not an individual tool, or even set of tools....
Now more than ever before, it’s critical to build a strategic security performance management program in which you take a risk-based, outcome-driven approach to measuring, monitoring, managing, and reporting on your organization’s...
Whether your organization is just beginning to develop your security performance management systems, or you already have a mature and established program in place, there is always room to innovate and improve the cyber risk monitoring tools