Contact us
Request demo →
Contact us

5 lessons learnt from 2021's vulnerabilities

by Sebastiaan Bosman Blog 21 Feb 2022

2021 saw some major cyber hacks, incidents, and digital risks. From Exchange to Log4j, and everything in between. Many of these incidents happened because of vulnerabilities in systems, software, or procedures that threat actors might have been able to abuse.

Over the whole of 2021, the number of newly reported CVEs went up from 18,325 in 2020 to 20,142 in 2021. That’s an increase of 9.9% in the number of identified vulnerabilities in software. Shown in the figure below, the number of CVEs has been steadily increasing as of 2017. And we expect that trend to only continue.

CVEs per year

Data source:

Increasing vulnerabilities

Where could such an increase come from? Some very brief explanations could be that threat actors are becoming smarter, are automating their approach, and attack methods are available for purchase to a wider audience. Additionally, digitalisation results in an increase of IT outsourcing, with more software providers playing their part in your overall infrastructure. This increases your dependencies on the suppliers’ cybersecurity as well. 

A prominent example from March 2021: the Microsoft Exchange vulnerability. It lead to two major issues, for the ProxyShell and ProxyLogon. One vulnerability made thousands of organisations vulnerable to attacks. 

Still, it’s not all bad. As the threat of vulnerability abuse grows, so do the defensive efforts. After a zero-day has been discovered, individual security researchers and cybersecurity organisations will immediately start investigating the software for additional issues. A vulnerability could have more than one negative effect. And the larger the vulnerability, the more we see this happen.

This also happened with the Log4j vulnerability. Though there was initially one issue detected, researchers discovered two additional related ones, which both got their own CVE registration. And though it’s longer ago, we saw the same happen with the Citrix vulnerability. This causes an increase of detected CVEs as well.

Finding a vulnerability

To mitigate a vulnerability, you must first know of its existence. There are a few ways in which that can happen.

Preferably, the vulnerability is brought to your attention by the IT Security Team, a trusted cybersecurity partner, perhaps via a bug bounty programme or Responsible Disclosure, or it’s patched in an update from your software provider. This means you’d still need to do a thorough assessment of the risk and mitigation options, but there may be no immediate threat of an incident. Patches could be tested, or included in a next update.

It would be more problematic, though, when an incident triggers an investigation to find the vulnerability responsible. It means you’ll have to deal with a lot of unknowns. And even when the specific CVE is identified, assessing the impact and coming up with an incident response plan is much more complicated in a time-sensitive situation.

Handling a vulnerability

Having to mitigate a vulnerability could have a big impact on the organisation. Small patches won’t be much of an issue, but having to make changes in larger systems is more difficult. Systems, applications, and programs are almost always linked to something else in the infrastructure, and changing part of one thing can have a negative effect on another.

That’s why an impact assessment is so important. Not just for the digital aspect, but also for the physical processes in your organisation. For instance, in July, a severe vulnerability (CVE-2021-34527) was discovered in Microsoft’s printing architecture, which could result in systems being hacked trough malicious printer driver software. To mitigate that, some organisations had to take their printer infrastructure completely offline. As a result, employees were no longer able to print documents, halting paper processes as well as further increasing their online dependencies.

Lessons learnt

There is no such thing as being completely protected from vulnerabilities. There will always be some component of your infrastructure featuring a small programming mistake or other type or risk. Because of the potential impact when such a mistake is abused, there is a continuous incentive to detect vulnerabilities. Both for good, as well as for evil.

So what can we do? Having learnt from the events of last year, there a few tips:

  • Stay informed. It can never hurt to stay updated on the current threat and security developments.
  • Keep your basic cyber-hygiene up to date. Sounds like an easy one, but it’s so very important. You can’t stay safe from all types of attacks and vulnerability abuse, but having your attack surface under control will give you a solid base from where to start incident response in the case of an issue.
  • Take preventative measures. If you have already limited the size of your attack surface, the number of possible entry points for an attacker is reduced as well. Avoid having all sorts of loose ends connected to the internet, by simply taking those offline. A good decommissioning process means there’s less to monitor on the whole.
  • Practice. How should you react when a critical CVE is found in software you use? What is the ideal course of action? What would happen if you’re required to shut an entire system down? What would that cost the organisation in down time? Creating a process based on these findings will help minimise the impact in case of an actual event. 
  • Know your supply chain. Which external organisations is your IT dependent on? Where is your data stored? Having insights into the security posture of your suppliers is the input for constructive security talks, making both your organisations more secure. 

Attack Surface Management will give you the insights needed to stay in control. Knowing what software, data, and systems are running at all times where will give you a significant advantage in case a new CVE is discovered. Avoid having to detect any potentially vulnerable systems, and start taking action right away. Interested to see how that works? Click below to read all about Attack Surface Management. 

Download whitepaper (PDF) →


Disinformation: a certainty in uncertain times

Since the beginning of the internet, we have seen a near, if not an exponential, surge of information sharing amongst users in cyberspace. Not long after, we saw how the emergence of social media ushered an access to public online platforms where other internet users worldwide could share, discuss, promote, and consume information, whether by deliberate choice or not.

read more

Threat Report: Remote vulnerability in Confluence, fixes available

On 2 June, 2022 a critical vulnerability was identified in Atlassian Confluence (CVE-2022-26134). The vulnerability in question relates to active exploitation of unauthenticated remote code execution in Confluence Data Center and Server; meaning that the vulnerability could lead to code being executed remotely.  

read more

Looking back on the 2021 vulnerability: Log4shell

In December 2021 a critical vulnerability surfaced named Log4shell within Log4j, a widely used logging tool for java applications. Log4j is used globally by computers running online services, which meant it impacted a multitude of people, organisations, and government organisations. Since then, multiple fixes have been implemented in the hope to avoid such an outbreak in the future.

read more

Do you have a question?

Our experts have the answers

Contact us