2021 saw some major cyber hacks, incidents, and digital risks. From Exchange to Log4j, and everything in between. Many of these incidents happened because of vulnerabilities in systems, software, or procedures that threat actors might have been able to abuse.
Over the whole of 2021, the number of newly reported CVEs went up from 18,325 in 2020 to 20,142 in 2021. That’s an increase of 9.9% in the number of identified vulnerabilities in software. Shown in the figure below, the number of CVEs has been steadily increasing as of 2017. And we expect that trend to only continue.
Data source: https://www.cvedetails.com/browse-by-date.php
Where could such an increase come from? Some very brief explanations could be that threat actors are becoming smarter, are automating their approach, and attack methods are available for purchase to a wider audience. Additionally, digitalisation results in an increase of IT outsourcing, with more software providers playing their part in your overall infrastructure. This increases your dependencies on the suppliers’ cybersecurity as well.
A prominent example from March 2021: the Microsoft Exchange vulnerability. It lead to two major issues, for the ProxyShell and ProxyLogon. One vulnerability made thousands of organisations vulnerable to attacks.
Still, it’s not all bad. As the threat of vulnerability abuse grows, so do the defensive efforts. After a zero-day has been discovered, individual security researchers and cybersecurity organisations will immediately start investigating the software for additional issues. A vulnerability could have more than one negative effect. And the larger the vulnerability, the more we see this happen.
This also happened with the Log4j vulnerability. Though there was initially one issue detected, researchers discovered two additional related ones, which both got their own CVE registration. And though it’s longer ago, we saw the same happen with the Citrix vulnerability. This causes an increase of detected CVEs as well.
Finding a vulnerability
To mitigate a vulnerability, you must first know of its existence. There are a few ways in which that can happen.
Preferably, the vulnerability is brought to your attention by the IT Security Team, a trusted cybersecurity partner, perhaps via a bug bounty programme or Responsible Disclosure, or it’s patched in an update from your software provider. This means you’d still need to do a thorough assessment of the risk and mitigation options, but there may be no immediate threat of an incident. Patches could be tested, or included in a next update.
It would be more problematic, though, when an incident triggers an investigation to find the vulnerability responsible. It means you’ll have to deal with a lot of unknowns. And even when the specific CVE is identified, assessing the impact and coming up with an incident response plan is much more complicated in a time-sensitive situation.
Handling a vulnerability
Having to mitigate a vulnerability could have a big impact on the organisation. Small patches won’t be much of an issue, but having to make changes in larger systems is more difficult. Systems, applications, and programs are almost always linked to something else in the infrastructure, and changing part of one thing can have a negative effect on another.
That’s why an impact assessment is so important. Not just for the digital aspect, but also for the physical processes in your organisation. For instance, in July, a severe vulnerability (CVE-2021-34527) was discovered in Microsoft’s printing architecture, which could result in systems being hacked trough malicious printer driver software. To mitigate that, some organisations had to take their printer infrastructure completely offline. As a result, employees were no longer able to print documents, halting paper processes as well as further increasing their online dependencies.
There is no such thing as being completely protected from vulnerabilities. There will always be some component of your infrastructure featuring a small programming mistake or other type or risk. Because of the potential impact when such a mistake is abused, there is a continuous incentive to detect vulnerabilities. Both for good, as well as for evil.
So what can we do? Having learnt from the events of last year, there a few tips:
- Stay informed. It can never hurt to stay updated on the current threat and security developments.
- Keep your basic cyber-hygiene up to date. Sounds like an easy one, but it’s so very important. You can’t stay safe from all types of attacks and vulnerability abuse, but having your attack surface under control will give you a solid base from where to start incident response in the case of an issue.
- Take preventative measures. If you have already limited the size of your attack surface, the number of possible entry points for an attacker is reduced as well. Avoid having all sorts of loose ends connected to the internet, by simply taking those offline. A good decommissioning process means there’s less to monitor on the whole.
- Practice. How should you react when a critical CVE is found in software you use? What is the ideal course of action? What would happen if you’re required to shut an entire system down? What would that cost the organisation in down time? Creating a process based on these findings will help minimise the impact in case of an actual event.
- Know your supply chain. Which external organisations is your IT dependent on? Where is your data stored? Having insights into the security posture of your suppliers is the input for constructive security talks, making both your organisations more secure.
Attack Surface Management will give you the insights needed to stay in control. Knowing what software, data, and systems are running at all times where will give you a significant advantage in case a new CVE is discovered. Avoid having to detect any potentially vulnerable systems, and start taking action right away. Interested to see how that works? Click below to read all about Attack Surface Management.